Progress Software CEO Yogesh Gupta has downplayed the reputational impact of the massive MOVEit Transfer attack, saying most customers were “really happy” with the way the company responded.
But he said it was too early to tell how a series of class action lawsuits brought on behalf of the victims of the attacks might affect the company’s bottom line.
Gupta’s comments were made a day before Progress announced the availability of patches for eight newly-discovered vulnerabilities – two of them critical – in another product line: its WS_FTP server software.
Progress disclosed a critical zero-day vulnerability in the MOVEit Transfer file transfer application on May 31. The flaw – which allowed unauthorized access to organizations’ MOVEit environments – was exploited on a vast scale by the Clop ransomware gang.
According to Emsisoft, which has been tracking the impact of the supply chain breaches, as of Sept. 27, 2122 companies were known to have been either directly or indirectly affected and data belonging to more than 62 million individuals had been compromised.
“Minimal impact” from MOVEit mess
On a Sept. 26 quarterly earnings call, Gupta was asked what business fallout and financial impact had resulted from the attacks, and how many MOVEit customers Progress had lost.
He did not address how many users had ditched the solution but said customers had been “extremely positive about what we’ve been doing for them”.
In its third-quarter results, covering the three-month period since it disclosed the vulnerability, Progress reported spending $951,000 on its response to the incident. During the quarter its total revenue was $175 million, up 16% on the same period last year. MOVEit Transfer sales account for only about 4% of the company’s total revenue.
“As we mentioned (in the results), there was minimal impact on our business in Q3,” Gupta said. “In Q4, and for the year, we are still confident about our outcomes, so we’re not really seeing what I would call a meaningful impact from our customers at this point.”
Last month, consumer-rights law firm Hagens Berman filed five nationwide class-action lawsuits against Progress related to the data breaches.
“As far as litigation expense, it is way too early to try to do any kind of an estimate as to what it would be,” Gupta said, adding that Progress had $15 million of cyber insurance cover.
“We just don’t know what the future litigation impact might be because it is so early, but in general customers have been, to be honest, really happy with our response.”
The company said it intended to provide more details on the MOVEit vulnerability when it filed its next 10-Q, a comprehensive quarterly financial report required by the SEC.
Critical vulnerabilities hit another Progress solution
Meanwhile, in a Sept. 27 advisory, Progress said it had issued patches for eight recently discovered vulnerabilities its WS_FTP Server Ad Hoc Transfer Module and WS_FTP Server manager interface.
Two of the vulnerabilities were rated critical. The first, a .NET deserialization vulnerability in the Ad Hoc Transfer Module, tracked as CVE-2023-40044, had the highest possible CVSS rating of 10
The second, a directory traversal vulnerability in WS_FTP Server versions prior to 8.74 and 8.8.2, tracked as CVE-2023-42657, was rated 9.9.
“We have addressed these issues and have made version-specific hotfixes available for customers to remediate them,” the advisory said. Progress said it “strongly” recommended customers applied the upgrades. The advisory did not say whether the vulnerabilities had been exploited in the wild.