Progress Software's May Data Breach Touched 2,500 Firms: Class Action
A massive May 28 data breach and subsequent attacks on Progress Software Corp.’s (PSC) MOVEit file transfer software affected 2,546 organizations as of Oct. 11, alleges a negligence class action (docket 1:23-cv-12450) in U.S. District Court for Massachusetts in Boston. The breach affected the records of about 64.5 million individuals, said the complaint, citing anti-malware company Emsisoft.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The lawsuit documented June and July communications from PSC to its customers, including Microsoft and Google, disclosing additional vulnerabilities and ransomware threats by the “the CL0P Ransomware Gang, also known as TA505.” On July 7, PSC notified investors that two MOVEit Cloud customers reported that malicious threat actors exploited the vulnerability to gain access to its environment, the complaint said. On Oct. 10, PSC told investors one customer reported “certain personally identifiable information was exfiltrated.”
Organizations with the greatest number of affected individuals are Maximus Federal Services, with 11 million, and Colorado Department of Health Care Policy and Financing (HCPF), at 4 million, the complaint said. PSC’s failure to “reasonably secure” consumers’ personally identifiable information (PII) and personal health information (PHI) from the foreseeable risk of its being stolen through its vulnerable MOVEit software, as exploited by CL0P, caused the data breach, said the complaint. CL0P previously attacked file transfer platforms in similar attacks against Accellion, SolarWinds and Fortra/Linoma systems, it said.
PSC obtained plaintiff Carin Dickmeyer’s PII and PHI through Maximus, a contractor that provides appeals services supporting Medicare, said the complaint. The California resident would not have entrusted her PII to a PSC customer if she had known that one of the customer’s IT vendors with access to her PII “failed to maintain adequate data security,” the complaint said. As a result of the PSC data breach, Dickmeyer was “harmed by receiving a significant increase in spam and phishing emails and must expend time to review the emails and determine if the emails are legitimate,” the complaint said. She has experienced increased anxiety and emotional distress and has had to spend time to mitigate “imminent harm” resulting from the risk of cybercriminals’ access to her PII, it said
PSC obtained the PHI of Colorado plaintiff Joel Bonnett via IBM, a vendor for HCPF, which oversees Colorado’s Medicaid program, the complaint said. HCPF informed Bonnett that his PII and PHI may have been compromised in the MOVEit data breach. Bonnett was harmed by having to spend money and time obtaining credit monitoring and identity protection services when he was unable to access the services offered by HCPF, the complaint said.
In its privacy policy, updated July 1, PSC says it is “committed to protecting the privacy of individuals” who visit its websites, register to use its services and register to attend its corporate events, said the complaint. In its most recent annual report, PSC describes itself as “the trusted provider of the best products to develop, deploy and manage high-impact business applications,” the complaint said.
PSC notified California residents that it collects information such as name, address and Social Security number, characteristics of protected classification under California or federal law, commercial information, product purchase history, internet activity, geolocation data, audio/visual information, education data and account log-in and passwords, the complaint said.
As a business associate of the Health Insurance Portability and Accountability Act (HIPAA) Covered Entities, PSC knew it was required to safeguard PHI according to its HIPPA compliance FAQs on its website, the complaint said. Under the HIPAA privacy rule, business associates such as PSC must “implement appropriate safeguards to protect the privacy of PHI,” and must notify Covered Entities of a PHI breach, it said.
In addition to negligence, gross negligence and negligence per se, plaintiffs allege breach of implied contract and third-party beneficiary contract; unjust enrichment; invasion of privacy; violation of the California Customer Records Act, Unfair Competition Law, Consumer Legal Remedies Act and Confidentiality of Medical Information Act; and violation of the Colorado Security Breach Notification and Consumer Protection acts.
Plaintiffs seek equitable relief requiring PSC to devise and employ appropriate policies for consumer and patient data collection, storage and protection; to disclose the specific PII compromised in the breach; restitution and disgorgement of revenues wrongfully retained as a result of its wrongful conduct; actual, compensatory, punitive and statutory damages and penalties; to pay for at least 10 years of credit bureau and identity theft monitoring and identity theft insurance for plaintiffs and class members; pre- and post-judgment interest; and attorneys' fees and costs.
A MOVEit spokesperson emailed Monday: "We do not comment on pending litigation as our focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have developed."