Progress Software MOVEit Data Breach FAQ

Frequently Asked Questions

Hagens Berman is here to provide comprehensive and helpful information about the multiple lawsuits our law firm is pursuing against Progress Software and other organizations regarding the 2023 MOVEit data breach. This event compromised the highly sensitive personal information of more than 40 million people across more than 600 institutions, including banks, pension programs, schools, government agencies and more. This FAQ is available to guide you through ongoing lawsuits filed on behalf of those affected.

ABOUT THE 2023 MOVEit DATA BREACH

What information was compromised in the MOVEit data breach?

What information was compromised in the MOVEit data breach?
The hundreds of organizations impacted by the MOVEit data breach collected the following sensitive data from tens of millions of people around the country:

Social Security numbers
Pension information
Medical records
Banking information
Billing data
Dates of Birth
Contact information
Other sensitive records and personal data

How many people were impacted by the data breach?

The data breach compromised the sensitive personal data of an estimated 40 million people, and new information about data breach’s impact is still emerging.

What did Progress Software do?

Progress markets MOVEit as a software that “guarantees the security of sensitive files both at-rest and in-transit,” and promises data security compliance, which attorneys say is false and misleading.

Attorneys say Progress failed those whose data the MOVEit software transferred in several key ways, including failing to monitor and maintain basic network safeguards, failing to maintain adequate data retention policies, not training staff on data security, failing to comply with industry standards of data security and failing to encrypt users’ private Information, among other shortcomings that led to the compromised information of tens of millions of people.

ABOUT THE HACKERS

Who is behind the data breach?

A well-known Russian cybergang, Clop, has claimed responsibility for the MOVEit breach.

How did hackers gain access to the sensitive data of more than 40 million people?

Hackers discovered a security vulnerability in Progress Software’s MOVEit, a managed file transfer software. Hundreds of organizations use MOVEit to store, manage and distribute information. According to reports, because many of the organizations impacted by the data breach were handling data on behalf of others, who in turn got that data from third parties, the security vulnerability discovered in the MOVEit software allowed hackers to slip past the defenses of a vast, interconnected web of companies and institutions.

The vulnerability had existed since 2021, according to the lawsuit, but was never rectified due to Progress’s alleged negligence. Hackers exploited the vulnerability to steal highly sensitive personal data from more than 600 organizations worldwide.

Progress failed to monitor and maintain basic network safeguards, to maintain adequate data retention policies, to not train staff on data security, to comply with industry standards of data security and to encrypt users’ private Information, among other shortcomings to basic industry standards and best practices.

POTENTIAL RISK

What can cybercriminals do with the type of data that was compromised by the MOVEit breach?

Identity theft is the most common consequence of a data breach and happens to about 65% of data breach victims. Consumers lost more than $56 billion to identity theft and fraud in 2020 alone, and over 75% of identity theft victims reported emotional distress.

The most recent lawsuit against Progress states, “Hackers such as Clop can and do offer for sale unencrypted, unredacted Private Information to criminals. The exposed Private Information of Plaintiff and Class Members can, and likely will, be sold repeatedly on the dark web.”

OTHER COMPANIES INVOLVED IN THE DATA BREACH

What organizations have been impacted by the data breach?

An estimated 600 organizations worldwide lost sensitive personal information to the MOVEit data breach. Reports say that “the majority of schools” in the U.S. were likely affected by the data breach. Banks, manufacturing firms, airlines and other companies have also been impacted, exposing the data of millions of people around the country to hackers. See a full list of impacted organizations. [insert link]

According to attorneys, the full scope of other involved parties is still being revealed, and those affected should be made aware via mailed letters detailing the breach of their sensitive information by Progress Software’s MOVEit.

Why did I receive a data breach notification letter from a company I’ve never heard of?

You may have received a data breach notification letter from PBI Research Services, or another company with which you are not familiar. This is because many insurance companies, pension funds and other organizations share personal data with companies like PBI so that they can provide research and other business services.

Because many of the organizations impacted by the data breach handle data on behalf of others, your data may have been shared via MOVEit with PBI or another third-party company by your insurer, pension fund manager or another organization with whom you do business. Those affected are likely to receive a data breach letter from that third-party company. Fill out the form to find out your rights.

What if the company that was responsible for breaching my information hasn’t yet been named in a filed lawsuit?

The firm plans to file additional complaints against other co-defendants involved in the data breach. According to attorneys, the full scope of other involved parties is still being revealed, and those affected should be made aware via mailed letters from affected organizations detailing the breach of their sensitive information by Progress Software’s MOVEit. If you have received a letter from a company that has yet to be named in a lawsuit, send us your letter.

ABOUT THE LAWSUITS

What is the lawsuit about?: Progress Software owns MOVEit, a managed file transfer software used by various organizations. In June 2023, a massive data breach compromised the sensitive personal information of more than 40 million people worldwide. Progress and the other organizations implicated in the lawsuits were negligent in handling individuals’ data. The class actions seek to hold the companies accountable and recover compensation on behalf of individuals who are now vulnerable to identity theft and other cybercrimes.
Why has Hagens Berman filed multiple class actions regarding the MOVEit data breach?: Hagens Berman has filed multiple class-action lawsuits regarding the MOVEit data breach because multiple organizations including Progress are responsible for mishandling sensitive consumer data in this case. Each of the lawsuits brings claims against Progress, but the various complaints implicate different additional organizations as co-defendants..
Will Hagens Berman file additional lawsuits?: The firm plans to file additional complaints against other co-defendants involved in the data breach.
What claims do Hagens Berman’s lawsuits bring against Progress and other companies?: The firm’s lawsuits bring claims of negligence, unjust enrichment, breach of contract and other wrongdoing against Progress Software and other entities for reckless mismanagement of sensitive personal information.

ABOUT CLASS-ACTION LAWSUITS

What is a class-action lawsuit?: A class-action lawsuit is a civil lawsuit brought on behalf of a group of people that suffered common harm as a result of the defendants’ same conduct, with at least one individual or entity acting as a representative of that group. While the issues in a class action can vary, the issues in dispute are common to all class members.
Each person impacted by the data breach could sue Progress or other implicated companies individually. Why participate in a class-action lawsuit?: It is often more practical for the plaintiff, the court and the defendants to join the individual actions into one lawsuit. Most people don’t have the time or resources to engage in costly individual litigation against well-resourced corporate opponents, and a class-action lawsuit allows many people suffering from the same issue to join forces and pursue justice without having to shoulder the cost or the risks associated with individual litigation. Class-action lawsuits are a time-tested method for holding tech companies and other big business accountable for negligence, fraud and other wrongdoing.
Do I have to pay to participate in the lawsuit?: No, there is never any out-of-pocket cost to participate in a class-action lawsuit. The class-action structure allows plaintiffs’ firms like Hagens Berman to shoulder the financial risks associated with litigation, which is one reason why it is such a powerful tool for holding corporations and other powerful entities accountable to the public. Attorneys’ fees and litigation costs are ultimately paid separately by the defendants or from the settlement proceeds, but only after review and award by the court.
Do I have to be a named plaintiff in the complaint to receive settlement benefits, if one is reached?: No, the individuals named in class-action complaints are named plaintiffs (often referred to as class representatives) bringing the case on behalf of all similarly situated people. All those impacted by the data breach will be eligible to receive any benefits which may be recovered as a result of these lawsuits.

NEXT STEPS

What happens next?: Attorneys say it is likely that all the individual class actions regarding the MOVEit data breach will eventually be consolidated into a single multi-district litigation. At this early stage, however, initial complaints have been filed against several defendants, and Progress and the other defendants will respond, likely seeking to dismiss the cases. A court will then make its decision on whether to allow the cases to proceed.
What action do I need to take now?: Those affected may choose to fill out the form to receive timely updates regarding the case. Please note that completing our online form does not mean we represent you personally, and it does not have the effect of joining the proposed settlement or submitting a settlement claim.

POTENTIAL OUTCOME OF THE LAWSUITS

How much money can I expect to receive?: At this early stage in the litigation process, attorneys cannot provide an estimate for how much monetary or other forms of compensation individual members of the proposed class may receive. Damages sought may include cost of freezing accounts, reimbursement of out-of-pocket costs, future costs of identity theft monitoring, injunctive relief including improvements to the companies’ data security systems and future annual audits.
What do the lawsuits seek on behalf of consumers?: Damages sought may include cost of freezing accounts, reimbursement of out-of-pocket costs and time spent responding to the breach, future costs of identity theft monitoring, injunctive relief including improvements to the companies’ data security systems and future annual audits.

ABOUT YOUR PERSONAL DATA

How do I know if I’m affected by the MOVEit data breach?

If you have received a data breach notification letter, you may be impacted, and you can fill out the form to find out your rights. The MOVEit data breach impacted hundreds of organizations, including at least 30 colleges and universities and Teachers Insurance and Annuity Association of America (TIAA), a financial services provider. Reports say that “the majority of schools” in the U.S. were likely affected by this data breach. Banks, manufacturing firms, accounting firms, airlines and other companies have also been impacted, exposing the data of tens of millions of people around the country to hackers.

The notification letter you received may include details about the circumstances of the MOVEit data breach, what data was compromised in the breach and recommendations for how to protect yourself from identity theft.

My personal data was compromised in the data breach. What should I do?

Hagens Berman attorneys suggest that anyone who believes they may have been affected monitor their financial accounts for any suspicious activity. Experts recommend consumers freeze their credit with all three credit reporting agencies. If you elect to use any paid service to protect yourself from identity theft because of the MOVEit data breach, be sure to save receipts itemizing your payments. You may be eligible for reimbursement through future legal actions. Fill out the form to find out your rights.