Five class action lawsuits have been launched against the publisher of MOVEit Transfer, the software at the centre of the biggest cyberattack of the year. The court actions allege that Progress Software, which makes MOVEit Transfer, failed to address a vulnerability which had been present in the file transfer platform since 2021. This has been exploited by Russian hacking gang Cl0p, which has used it to steal data from hundreds of organisations, including some of the biggest names in business.

Progress Software, publisher of MOVEit Transfer, faces five lawsuits concerning a widely exploited vulnerability in its software. (Photo by Tero Vesalainen/Shutterstock)

The civil complaints, filed in the US district courts of Maryland and Massachusetts by law firm Hagens Berman, name Progress Software, as well as four other organisations which have seen data stolen as a result of the vulnerability: Pension Benefit Information, Talcott Resolution Life Insurance, the Johns Hopkins Health System and Johns Hopkins University itself. The latest case, filed on Tuesday, accuses Progress of “negligence, unjust enrichment and breach of contract”. Undisclosed damages are being sought.

MOVEit Transfer vulnerability: a ‘cybersecurity disaster of staggering proportions’

The attack has seen Cl0p take advantage of the previously unknown flaw in MOVEit Transfer, a platform used by businesses around the world to securely move files. It has enabled the cybercriminals to access the systems of MOVEit Transfer users and, in many cases, steal data from their customers in what is known as a supply chain attack.

Victims of the breach include British Airways, the BBC and Shell, as well as many large businesses in the US, which are likely to be the focus of Hagens Berman’s court actions. The court filing says over 600 businesses have been hit in the breach, compromising information on 40 million people.

Sean Matt, partner at Hagens Berman and the attorney leading the lawsuits against Progress, described the incident as a “cybersecurity disaster of staggering proportions”. Matt said: “Millions of individuals are now at the mercy of cybercriminals due to a single security vulnerability in the design of the MOVEit software”. He added: “The data compromised in this incident – social security numbers, banking information and even the names of people’s children – will undoubtedly lead to years of strife and concern.”

The lawsuit alleges that the vulnerability has existed since 2021, but was never rectified due to Progress’s “negligence”. It has not been disclosed how many people have joined the court action, but Hagens Berman has previously litigated a similar case against mobile network T-Mobile over a 2021 data breach. The network eventually paid out $350m to victims.

Health insurance company Pension Benefit Information saw 1.2 million customer records stolen in a breach exploiting the MOVEit Transfer vulnerability. More than 500,000 Talcott Resolution clients were hit during a breach in June, while the John Hopkins University and its health service confirmed in July they had both been hit, but did not disclose how much data had been stolen.

Tech Monitor has contacted Progress Software, and the other companies named in the lawsuit, for comment.

IBM MOVEit Transfer breach exposes millions

Though the MOVEit Transfer vulnerability was discovered three months ago, new victims are still emerging. This week it was revealed four million US citizens had had their data stolen by Cl0p as a result of IBM’s use of MOVEit Transfer.

These latest victims are people living in Colorado, whose medical insurance details are held by the state’s healthcare department, HCPF. In a breach notification, it said one of its main technology providers, IBM, “uses the MOVEit application to move HCPF data files in the normal course of business”, and that hackers had gained access data including names, dates of birth and social security details.

IBM’s breach also impacted the state of Missouri, with its Department of Social Services declaring a breach earlier this month. It is not yet known what type of data has been stolen.

Read more: Serco suffers MOVEit Transfer vulnerability data leak