Deepening Impact of Financial Losses from MOVEit Reductions at Progress Software
Progress Software, a leading software company, is currently embroiled in a series of legal battles and investigations following a cyberattack on their MOVEit environments in November 2023. The incident resulted in unauthorized access to Progress' corporate network and the theft of corporate data.
The company has disclosed this in an 8-K filing with the Securities and Exchange Commission (SEC). According to the filing, costs related to the cyberattacks against MOVEit environments have reached $2.9 million through August 2025, with Progress directly incurring $1 million after insurance recoveries.
The investigation into the November incident was carried out by Progress itself. The company has also been cooperating with the SEC's fact-finding investigation and is continuing to engage with the cybersecurity community. Progress maintains that the SEC's investigation does not imply any violation of federal securities laws.
The MOVEit breach, linked to Progress Software’s file-sharing product and exploited by the Clop ransomware group, began as early as 2021 and impacted over 2,500 organizations and 67-77 million individuals globally. Plaintiffs allege that Progress failed to secure consumer data properly.
One of the affected organizations, Nuance Communications, a Microsoft unit, has agreed to an $8.5 million settlement to resolve litigation concerning the incident. This settlement, preliminarily approved by the court, covers approximately 1.2 million patients whose data was compromised and provides for reimbursement and credit monitoring.
Despite this settlement, Progress faces a swelling docket of lawsuits as the multidistrict litigation (MDL) against the company progresses. The federal court has allowed lawsuits against Progress Software to continue, rejecting efforts to dismiss key claims as of July 31, 2025. Plaintiffs are alleging negligence and inadequate data security.
Progress is party to 58 class-action lawsuits filed by individuals claiming impacts from the data stolen in MOVEit customers' environments. The insurance coverage balance is dwindling after recoveries from the MOVEit and November cyberattacks, with $10.1 million of insurance coverage remaining.
Progress has also received formal letters from 23 customers and others claiming impacts from the attacks, with some indicating plans to seek restitution. An insurer has submitted a subrogation claim to Progress seeking recovery for expenses incurred by the MOVEit attacks.
Despite the mass-exploit of a zero-day vulnerability in MOVEit and subsequent ransomware attacks, Progress has endured minimal business impact to date. The company remains focused on supporting its customers, including promptly and transparently sharing information about the coordinated attack on their environments.
As of August 2025, class-action lawsuits against Progress Software related to the MOVEit vulnerability exploit and resulting cyberattacks are actively progressing in federal courts. The United States District Court for the District of Massachusetts has largely denied motions to dismiss in two bellwether cases, allowing claims of negligence, breach of contract, unjust enrichment, and various consumer protection related allegations against Progress Software to move forward.
This ongoing litigation pressure on Progress Software, alongside some resolutions for affected customers like Nuance, indicates a complex legal landscape for the company moving forward.
[1] [Source 1] [2] [Source 2] [3] [Source 3] [4] [Source 4] [5] [Source 5]
- Despite the large-scale exploitation of a zero-day vulnerability in Progress Software's MOVEit environment by the Clop ransomware group, Progress has managed to limit the business impact to date.
- The ongoing litigation against Progress Software, stemming from the MOVEit vulnerability exploit and resulting cyberattacks, has been complex, with Progress facing numerous class-action lawsuits and formal claims.
- The MOVEit breach, attributed to Progress Software's file-sharing product, posed a significant privacy risk, impacting over 2,500 organizations and potentially 67-77 million individuals globally, as alleged by plaintiffs.
