Progress Software experienced minimal impact due to massive exploit of a zero-day vulnerability in its MOVEit file transfer service despite supply chain compromises that affected more than 2,100 organizations. Researchers say the data of at least 62 million people was exposed by these attacks.
Progress reported $951,000 in cyber incident and vulnerability response spending during its third fiscal quarterwhich ended Aug. 31, and said more details would be included in its upcoming 10-Q.
The cost represents 0.5% of the $175 million in revenue Progress reported in the quarter, up 6% year over year.
The impact on the overall business is “minimal” and it is too early to assess the impact of potential litigation, CEO Yogesh Gupta said during the company’s earnings conference call Tuesday. .
“FFrom a customer perspective, our customers have been extremely positive about what we have done for them,” Gupta said..
“We’re not really seeing what I would call a significant impact from our customers at this point,” he said.
Progress doesn’t release numbers on MOVEit’s financial performance on its own, but the company says it does. represents less than 4% of its overall turnover.
Gupta did not directly answer a Wall Street analyst’s question about how many customers have left the platform since the wave of attacks in late May.
Progress has rejected several inquiries about how many organizations were using MOVEit when the previously unknown vulnerability was discovered and widely exploited.
The zero-day vulnerability was disclosed and corrected on May 31, but the damage was already done. Nearly four months later, the consequences of this mass exploit continue to spread, making it the largest cyberattack of this year.
“Our rapid and transparent response since the beginning of this incident has also given MOVEit customers confidence and we believe this has helped build customer loyalty,” a MOVEit spokesperson told Cybersecurity Dive via email.
“This was a coordinated attack on our customers’ environments by a sophisticated criminal organization. MOVEit Transfer is on-premises software running in our customers’ environments, so we have no visibility into what data has been accessed by cybercriminals. However, as we see disclosures in the media regarding the type of information that was stolen, we deeply sympathize with the individual end users who were impacted by this attack,” the company said.
“Progress has continued to work closely with our customers. We are committed to playing a collaborative role in industry-wide efforts to combat increasingly sophisticated and persistent cybercriminals who seek to maliciously exploit vulnerabilities in widely used software products,” MOVEit said.
Potential pain ahead
Although Progress has not suffered any significant consequences related to the MOVEit mass exploit so far, that could change.
“We just don’t know what the future impact of litigation might be because it’s too early, but in general, to be honest, customers have been very happy with our response,” Gupta said on the call for comments. results.
A month after the attacks, four affected customers said they would seek compensation from Progress and 11 class-action lawsuits were filed against the company by individuals, the company said in its statement. 10-Q Filing on July 7.
Consumer rights law firm Hagens Berman filed suit five nationwide class action lawsuits against Progress in August, accusing the company of negligence, unjust enrichment and breach of contract.
Hagens Berman, one of the companies selected to finalize a $350 million settlement that T-Mobile agreed to pay following its 2021 breach, alleges that the widely exploited MOVEit vulnerability existed since 2021.
Progress expects to incur additional investigative, legal and other expenses related to the MOVEit vulnerability exploits, but said it could not reasonably estimate a range of possible losses. The company has $12 million in cyber policy coverage, which it plans to continue to the fullest extent possible.
Customers suffer the damage
The downstream impact for organizations that were using the service at the time of the attack, as well as their respective customers, is massive and growing.
Large financial institutions, law firms, insurance companies, schools, health care companies, and government agencies have all been affected by this slow disaster.
This unbalanced impact highlights why the drumbeat of security by design and security by default principles is getting louder, according to Katell Thielemann, distinguished vice president analyst at Gartner.
“So far, the economic equation has placed most of the burden of managing vulnerable products on users, most of whom are least likely to be able to manage them,” Thielemann said by email.
“And market forces haven’t really succeeded in forcing producers to care enough about them to prevent them in the first place,” Thielemann said.
The ambitious movement towards transfer responsibility for security in technology products and services for manufacturers and suppliers is a key pillar of federal cybersecurity efforts outlined in the national cyber strategy.
“Many proponents of this change argue that developers and manufacturers understand their products best and are also the centralized entity responsible for releasing patches, updates, and other maintenance solutions,” Amy Chang, lead researcher in Cybersecurity and Emerging Threats at the R Street Institute. , said by email.
This incident also highlights “the downstream impacts of vendors who had little recourse to remediate the effects of compromised software,” Chang said.
There should be repercussions for companies that fail to address known vulnerabilities, Chang said. But “punishing any company that fails to predict the consequences of vulnerabilities that have not yet been discovered or exploited would be unfair and could potentially hinder innovation.”