A nationwide class-action suit filed against Progress Software in the wake of the massive MOVEit breach could point to additional litigation against software companies whose vulnerable applications are exploited in large-scale supply chain attacks, a legal expert says.
Progress faces claims of negligence and breach of contract, among others, in five nationwide class-action lawsuits filed by consumer-rights law firm Hagens Berman after the Cl0p ransomware gang exploited a critical zero-day flaw in its MOVEit managed file transfer application.
The attack has affected both multinational, high-profile million- and billion-dollar organizations — Shell Oil and British Airways among them — as well as smaller organizations both public and private who deploy MOVEit to exchange sensitive data and large files both internally and externally.
Environments that had vulnerable versions of the software installed exposed sensitive personally identifiable information (PII) of customers, including names, Social Security numbers, birth dates, demographic information, insurance policy numbers, and other financial information.
Hagens Berman claims that in all, Progress has compromised the sensitive personal information of more than 40 million people, and promises that more class actions are on the way as more of the 600 affected organizations come forward.
The suits claim that Progress failed "to properly secure and safeguard personally identifiable information," thus exposing plaintiffs to "a current and ongoing risk of identity theft" as well as invasion of privacy, financial costs, loss of time and loss of productivity, according to a court filing. Moreover, they face a continued risk that their private information will be misused by criminals.
Depending on how the case proceeds, it could set further precedent for the liability of software providers if and when they fail to fix vulnerabilities in their products before attackers can exploit them and cause data, financial, and other losses for their customers.
"The cases demonstrate that software vendors need to be more careful in protecting against breaches," says Sean Matt, one of the Hagens Berman partners on the case, says. "More breaches are occurring, and more cases are being filed as a result."
Precedence for Million-Dollar Settlements
Indeed, there is precedence for plaintiffs winning multi-million dollar settlements — some in the hundreds of millions of dollars — when attacks on vulnerable software results in breaches of sensitive data, he says.
"Most class-action lawsuits like this settle out of court because smart vendors don't want to be dragged through months of discovery and public trials," acknowledges Willy Leichter, vice president of security firm Cyware.
One such case was the Accellion data breach, in which the company reached an $8.1 million settlement relating to a zero-day exploit that resulted in a data breach impacting millions of people, says Collin Walke, a cybersecurity and data privacy attorney in Oklahoma City, who previously served in the Oklahoma House of Representatives.
Like other settlements and the MOVEit suits, the Accelion case was based on claims of negligence, breach of contract, and invasion of privacy, among others. Moreover, in ransomware cases like MOVEit, these rewards potentially could be on the higher side if the victim organization opted to pay the ransom, thus driving up the cost of their losses.
In the case of MOVEit, Coveware released an analysis recently estimating that the breach could earn Cl0p up to $100 million, money that companies may try to recoup through legal action.
"It certainly puts software companies on notice that they have exposure if their software is flawed," Walke says. "That would be especially true if the company knew about vulnerabilities and did nothing to stop them."
Liable Or Not?
Right now it's unclear if this is the case with MOVEit, and as to what exactly Progress is liable for, Walke says. The software vendor patched the flaw at the heart of the Cl0p attacks on May 31, the same day the flaw was disclosed. However, the class-action suits claim the vulnerability had existed since 2021.
The crux of the case, if tried in court, would depend on if Progress was negligent in failing to identify the flaw before it was exploited, as the case claims, thus failing to live up to various responsibilities to customers.
According to plaintiffs, these responsibilities include monitoring and maintaining basic network safeguards; maintaining adequate data retention policies; training staff on data security; complying with industry standards of data security; and encrypting users' private information.
"If any zero-day exploit can constitute 'negligence' for failure to catch and then patch, then every software company in the world has exposure," Walke says. "If, however, negligence requires notice of the zero-day exploit and then failure to act, that narrows the pool of potentially liable companies to only those who had notice of the flaw and ignored it."
Of course, none of this matters if the company decides to settle, which seems likely, especially if cases continue to mount.
A spokesperson from MOVEit says that Progress doesn't comment on pending litigation. Right now, the company's focus "remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have developed," the spokesperson says.
Effects Going Forward?
The cases come at a pivotal time as the discussion and potential legislation around software vendor liability heats, and the Biden administration ponders its response. The National Cybersecurity Strategy, released by the Biden Administration in March, has acknowledged that under the currently recognized liability paradigm, software vendors are rarely held to account for exploited flaws in their solutions.
"Whether under contract, product liability, or common-law negligence theories, software makers to date have been nearly universally successful avoiding meaningful liability," notes Mark Millender, senior advisor, global executive engagement at Tanium, a provider of converged endpoint management
The National Cybersecurity Strategy proposes a joint effort between the administration, Congress, and the private sector to develop legislation to establish such liability, a process that will take time but is ultimately necessary, he says.
"It is critical to address the lack of accountability to drive the market to produce safer products and services while preserving innovation," Millender says.
"Software is now integral to so many physical products that the software industry can't claim special immunity because their products are complex or hard to debug," concurs Cyware's Leichter. "If this suit is successful, it will probably spur more claims against software vendors, but that's the inevitable cost of having software run the world."