Multiple Class-Action Lawsuits Filed After 2023 MOVEit Data Breach Affecting More Than 40 Million People
BOSTON – Following the 2023 MOVEit data breach, attorneys at leading consumer-rights law firm Hagens Berman filed five nationwide class-action lawsuits against Progress Software and various other organizations for compromising the sensitive personal information of an estimated 40 million people.
Data compromised in the 2023 MOVEit data breach includes contact information, dates of birth, social security numbers, pension information, medical records, billing data and banking information. More than 600 organizations were hacked, including banks, schools and government agencies.
“This is a cybersecurity disaster of staggering proportions,” said Sean Matt, partner at Hagens Berman and attorney leading the lawsuits against Progress. “Millions of individuals are now at the mercy of cybercriminals due to a single security vulnerability in the design of the MOVEit software. The data compromised in this incident — social security numbers, banking information and even the names of people’s children — will undoubtedly lead to years of strife and concern.”
“This is not just a data breach, but an unacceptable breach of the public’s trust in Progress and other companies that have a responsibility to protect the private data they collect,” Matt added.
Hagens Berman filed its latest class-action lawsuit against Progress Software on Aug. 15, 2023, accusing it of negligence, unjust enrichment and breach of contract. The firm’s prior lawsuits against Progress also name Johns Hopkins University and Health System, Pension Benefit Information and PBI Research Services.
The firm plans to file additional complaints against other co-defendants involved in the data breach. According to attorneys, the full scope of other involved parties is still being revealed, and those affected will be made aware via mailed letters detailing the breach of their sensitive information by Progress Software’s MOVEit.
How Progress Failed to Live Up to Its Promises
According to the lawsuit, in June 2023, hackers from the well-known Russian cybergang, Clop, discovered a security vulnerability in MOVEit, a managed file transfer software owned by Progress Software used by many organizations to store, manage and distribute information. Progress markets MOVEit as a software that “guarantees the security of sensitive files both at -rest and in-transit,” and promises data security compliance.
The vulnerability had existed since 2021, according to the lawsuit, but was never rectified due to Progress’s negligence, and hackers were able to exploit this vulnerability and gain access to sensitive personal data collected by organizations that used the software, the lawsuit states.
Because many of the organizations impacted by the data breach handle data on behalf of others, who in turn received that data from third parties, the security vulnerability discovered in the MOVEit software and Progress’s reckless mismanagement of its data allowed hackers to slip past the defenses of a vast, interconnected web of companies and institutions.
The list of affected organizations continues to grow, according to attorneys.
Attorneys say Progress failed those whose data it stored in several key manners, including its failure to monitor and maintain basic network safeguards, failing to maintain adequate data retention policies, not training staff on data security, failing to comply with industry standards of data security, and failing to encrypt users’ private Information, among other shortcomings that led to the compromised information of tens of millions of people.
“Progress and others using the MOVEit software were regularly handling essentially the most important and sensitive personal information of millions of individuals, liaising with government entities, insurers, and health care providers,” Matt said. “Progress had every reason to anticipate cybercrimes, yet it did little to prevent them, and its negligence falls just short of welcoming hackers through the front door with open arms.”
Even in the wake of this massive data breach, attorneys say Progress has made no assurances that it has adequately enhanced its data security practices to sufficiently safeguard from a similar vulnerability in MOVEit in the future.
What Action Should Be Taken by Those Impacted by the MOVEit Data Breach?
The lawsuit states, “Hackers such as Clop can and do offer for sale unencrypted, unredacted Private Information to criminals. The exposed Private Information of Plaintiff and Class Members can, and likely will, be sold repeatedly on the dark web.”
Hagens Berman’s attorneys suggest that anyone who believes they may have been affected monitor their financial accounts for any suspicious activity. Experts recommend consumers freeze their credit with all three credit reporting agencies. If you elect to use any paid service to protect yourself from identity theft because of the MOVEit data breach, be sure to save receipts itemizing your payments. You may be eligible for reimbursement through future legal actions.
Hagens Berman has extensive experience litigating cases of this nature. The firm was one of only a select few chosen to lead the lawsuits against T-Mobile for its 2021 breach, in response to which the carrier has agreed to pay $350 million into a settlement fund for customers. The firm has also filed a case against T-Mobile on behalf of more than 37 million consumers whose data was compromised in a separate 2022 data breach, among other cybersecurity cases.
# # #
About Hagens Berman
Hagens Berman is a global plaintiffs’ rights complex litigation law firm with a tenacious drive for achieving real results for those harmed by corporate negligence and fraud. Since its founding in 1993, the firm’s determination has earned it numerous national accolades, awards and titles of “Most Feared Plaintiff’s Firm,” MVPs and Trailblazers of class-action law. More about the law firm and its successes can be found at www.hbsslaw.com. Follow the firm for updates and news at @ClassActionLaw.
Media Contact
Ash Klann
[email protected]
206-623-9363