A ransomware gang used a zero-day exploit in Progress Software’s MOVEit Transfer to steal thousands of companies’ data, affecting over 60 million people.

In May 2023, a ransomware gang called Clop began abusing a zero-day exploit of Progress Software’s MOVEit Transfer enterprise file transfer tool. Progress quickly issued a patch, but the damage was already extensive. Clop’s widespread attack saw it steal data from government, public, and business organizations worldwide, including New York City’s public school system, a UK-based HR solutions and payroll company with clients like British Airways and BBC, and others.

How many others? According to a running tally from Emsisoft, over 2,000 organizations have reported being attacked, with data thefts affecting more than 62 million people. The vast majority of attacks were on US-based entities. Most recently, BORN Ontario, which first reported being attacked in June, revealed that data from newborns and pregnant patients in Ontario, spanning from January 2010 to May 2023, was stolen, affecting on the order of about 3.4 million people.

Progress issued two more patches on June 9th and June 15th, both of which addressed further vulnerabilities that were “distinct” from the original exploit. In both cases, the company’s page announcing those patches says that, while its investigations are ongoing, it doesn’t see any evidence they were used for further attacks.

There has been… so very much legal action after the attacks. Class action lawsuits have been filed against IBM, which ran servers that were breached for multiple organizations, Prudential Financial, Progress Software itself, and others. The MOVEit breach and other high-profile hacks have led to the SEC requiring public companies to issue disclosures within four days of discovering a cybersecurity incident, except when the disclosure could be a national security or public safety risk.