A legal expert has stated that a nationwide class-action suit recently filed against Progress Software could result in additional litigation against other software companies whose vulnerable applications are exploited in large-scale supply chain attacks. Progress Software is currently facing claims of negligence and breach of contract in five class-action lawsuits filed by consumer-rights law firm Hagens Berman after its MOVEit managed file transfer application was breached by the Cl0p ransomware gang. The attack has affected both large multinational organizations like Shell Oil and British Airways, as well as smaller public and private organizations that use MOVEit to exchange sensitive data.
The vulnerable versions of MOVEit exposed the personally identifiable information (PII) of millions of individuals, including names, Social Security numbers, birth dates, demographic information, insurance policy numbers, and other financial information. Hagens Berman claims that Progress has compromised the personal information of over 40 million people and expects more class actions to be filed as more affected organizations come forward.
The lawsuits allege that Progress failed to properly secure and safeguard the personal information, exposing plaintiffs to the risk of identity theft, invasion of privacy, financial costs, loss of time, loss of productivity, and the continued risk of their private information being misused by criminals. If successful, the case could set a precedent for the liability of software providers who fail to address vulnerabilities in their products before they are exploited, causing data, financial, and other losses for their customers.
According to Sean Matt, one of the partners at Hagens Berman, the MOVEit case demonstrates the need for software vendors to be more careful in protecting against breaches, as more breaches occur and more cases are filed as a result. Previous cases involving attacks on vulnerable software have resulted in multi-million dollar settlements, some reaching hundreds of millions of dollars. In one such case, involving Accellion, the company reached an $8.1 million settlement related to a zero-day exploit that led to a data breach affecting millions of individuals.
Willy Leichter, Vice President of security firm Cyware, acknowledges that most class-action lawsuits settle out of court, as vendors prefer to avoid public trials and lengthy discovery processes. However, if companies opt to pay the ransom in ransomware cases like MOVEit, the potential losses and subsequent legal actions could be significant. Leichter also states that it puts software companies on notice that they could be held liable if their software is flawed, particularly if they were aware of vulnerabilities and failed to take action to address them.
At present, it is unclear whether Progress was negligent in failing to identify the flaw in MOVEit before it was exploited, as claimed in the class-action suits. Progress patched the vulnerability on the same day it was disclosed but the suits contend that the vulnerability existed for over a year. The outcome of the case would depend on whether Progress failed to live up to its responsibilities to customers, such as monitoring and maintaining network safeguards, implementing data security training, complying with industry standards, and encrypting users’ private information.
Progress has not commented on the pending litigation, but a spokesperson states that the company’s focus is on working closely with customers to strengthen their environments by applying the necessary patches. The current lawsuits come at a crucial time as discussions and potential legislation around software vendor liability intensify. The National Cybersecurity Strategy proposed by the Biden administration recognizes the need for software vendors to be held accountable for exploited flaws in their solutions and suggests the development of legislation to establish liability in collaboration with Congress and the private sector.
Mark Millender, a senior advisor at Tanium, a provider of converged endpoint management, suggests that addressing the lack of accountability in the software industry is necessary to drive the market to produce safer products and services while still encouraging innovation. The success of the MOVEit lawsuit could potentially lead to more claims against software vendors. However, some argue that it is an inevitable cost given that software now plays an integral role in various products and services.