In a now familiar pattern, a major breach of a private sector company has resulted in a lawsuit over its cybersecurity practices.
On June 20, three Louisiana individuals headed up a class-action lawsuit filed in a Massachusetts district court against Progress Software, the Bedford, Massachusetts, makers of the MOVEit file Transfer and Cloud file transfer service that are used by thousands of entities and have been exploited over the past month to compromise an ever-growing list of companies and government agencies.
The plaintiffs represent more than 100 individuals who say Progress Software’s security practices were negligent, resulting in their personal data being exposed and stolen through the hack. The complaint characterizes this information as “a gold mine for data thieves” and the victims are seeking damages in excess of $5 million.
One of the lead plaintiffs, Shavonne Diggs, reportedly received “numerous phishing calls” following the breach from scammers who claimed she had signed up to attend different academic institutions, as well as an unauthorized charge on one of her payment cards.
“Armed with the Private Information accessed in the Data Breach, data thieves can commit a variety of crimes including … opening new financial accounts in Class Members’ names, taking out loans in Class Members’ names, using Class Members’ names to obtain medical services, using Class Members’ information to obtain government benefits, filing fraudulent tax returns using Class Members’ information, obtaining driver’s licenses in Class Members’ names but with another person’s photograph, and giving false information to police during an arrest,” lawyers for the plaintiffs wrote.
Progress Software disclosed and patched an SQL injection vulnerability on May 31 that could lead to elevated privileges and remote code execution, and security researchers quickly found evidence of exploitation in the wild across a broad section of businesses, with the Cl0p ransomware gang releasing a steady stream of victims on its dark web leak site.
Weeks later, the company disclosed an additional, separate SQL vulnerability affecting MOVEit Transfer and rolled out another patch while temporarily shutting down MOVEit Cloud (Progress Software’s website claims that as of June 18, they are not aware of this second vulnerability being exploited and that the shutdown of MOVEit Cloud was done was a precautionary measure.)
The lawsuit states that Progress Software’s customers entrusted their sensitive files to the company and as a result expected them to secure their data. They also claim the company's insufficient security practices violated contractual agreements with customers to secure their data and may constitute an “unfair practice” under the Federal Trade Commission Act, which stresses that cybersecurity should be factored into all business decision making.
The complaint claims Progress Software did not notify members of the class or other victims that they were impacted, and they only learned they were when the Louisiana Office of Motor Vehicles began informing state residents that their data was included in the breach.
As a result, the company has provided plaintiffs with no “assurance” that they have since imposed enhanced data security measures to avoid similar vulnerabilities in their products. Thus, they “are at an imminent, immediate and continuing increased risk of suffering ascertainble losses” in the future.
In a statement, a public relations firm representing Progress Software said they cannot comment on an ongoing lawsuit and are focused on helping customers recover from the hack.
"We do not comment on pending litigation as our focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have released,” the spokesperson wrote. “We continue to work with leading cybersecurity experts and are committed to playing a collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products."
Post-breach lawsuits from customers, shareholders or victims targeting a business’ security practices have become increasingly common in the modern digital age. Companies like software provider SolarWinds, home care service provider SuperCare, Mercy Health Network, RobinHood Financial, the San Francisco 49ers and the City of Oakland have all faced similar legal actions following their own data breaches.
Like many of those suits, this complaint does not offer any specific examples of security failures that directly led to the breach. Rather, it argues that Progress Software generally failed to follow “industry best practices” around cybersecurity, such as installing malware detection software, monitoring network ports, protecting web browsers and email management systems, putting firewalls, switches and routers in place, monitoring physical security gaps and training staff, that could have potentially detected or stopped the breach.
Defendant businesses often argue that they operate in a world where well-funded cyber criminals and nation states are investing huge sums of money and other resources into exploiting software and other products, and that they are ultimately victims themselves who should not be held liable for being breached in such an environment.
Despite their sheer number in recent years, these lawsuits almost never conclusively answer whether and how much private companies are legally responsible for their breaches or security practices. The vast majority of cases end through settlements, before a judge can make a ruling.
