Calif. Plaintiff Sues Progress Software, Pension Firm Over MOVEit Data Breach
Progress Software Corp. (PSC) and Pension Benefit Information (PBI) “owed duties” to plaintiff Rosemary Mosqueda and class members, said a Tuesday class action (docket 0:23-cv-02278) in U.S. District Court for Minnesota about a May 27 data breach affecting PSI’s MOVEit software.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Mosqueda, a Sacramento resident, received a June 22 letter from the California Public Employees' Retirement System informing her that her personally identifiable (PII) and personal health information (PHI) were compromised in the data breach and accessed by cybercriminals via the defendants’ systems. The letter said the breach at third-party provider PBI Research Services/Berwyn Group involved the MOVEit Transfer application; Mosqueda's information that was downloaded included “full name, date of birth and Social Security number. It could have also included the names of your child or children,” said the letter.
On or around May 31, PSC discovered a vulnerability in its MOVEit Transfer and MOVEit Cloud systems that could lead to “escalated privileges and potential unauthorized access,” said the complaint. The company notified “all customers and developed and released a security patch” within 48 hours, assigning the event a “severity rating of 9.8 out of 10,” it said.
On June 9, PSC and its contracted cybersecurity firm, Huntress, discovered additional vulnerabilities separate from the previously reported incident, said the complaint. The cause of the breach was reported to be a ransomware attack by C10p cybercriminals, who claimed to have stolen PII and PHI from over 550 organizations and 37 million individuals, including U.S. schools and public and private sectors. The complaint referenced reports that C10p requested “unspecified ransom” from the affected organizations in exchange for abstaining from releasing consumers’ PII and PHI. Plaintiff’s and class members’ sensitive information is “irrefutably in the possession of known bad actors,” it said.
The complaint referenced a July blog post on cybersecurity firm Emsisoft's website saying the MOVEit software data breach is unique from most other recent data breaches because MOVEit is widely used, and the breach affected primary users of the software as well as their contracted third parties that also use the software.
Defendants breached their duties by “failing to implement and maintain reasonable security procedures and practices” to protect the PII and PHI entrusted to them from unauthorized access and disclosure, the complaint said. Before retaining counsel for the claims, Mosqueda spent “at least an hour” monitoring various accounts for fraudulent activity and identity theft and will continue to do so “in the days, weeks, and months following the filing of this complaint.”
Mosqueda asserts claims of negligence; negligence per se; invasion of privacy; unjust enrichment; and violation of California’s Confidentiality of Medical Information Act, Customer Records Act, Unfair Competition Law and privacy rights under its constitution. She seeks for herself and the class actual, statutory, punitive and monetary damages to the maximum allowable extent; injunctive relief; pre- and post-judgment interest and attorneys’ fees and legal costs.
PSC emailed Thursday: "We do not comment on pending litigation as our focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have developed." PBI didn't comment.