2023-06-05 PROGRESS SOFTWARE CORP /MA Cybersecurity Incident

Page last updated on April 11, 2024

PROGRESS SOFTWARE CORP /MA initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-06-05 08:26:01 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date: 2023-05-28
Disclosure Date: 2023-06-05
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-06-05

PROGRESS SOFTWARE CORP /MA filed an 8-K at 2023-06-05 08:26:01 EDT
Accession Number: 0000876167-23-000113

Item 8.01 Other Events.

On the evening of May 28, 2023 (Eastern Time), the MOVEit technical support team at Progress Software Corporation (“Progress” or “the Company”) received an initial customer support call indicating unusual activity within their MOVEit Transfer instance. An investigative team was mobilized and discovered a zero-day vulnerability in MOVEit Transfer. The investigative team determined that the vulnerability could provide for unauthorized escalated privileges and access to the customer’s underlying environment. Following such discovery, on May 30, 2023, Progress promptly (i) reached out to all MOVEit Transfer and MOVEit Cloud (Progress’ cloud-hosted version of MOVEit Transfer) customers in order to apprise them of the vulnerability and alert them to immediate remedial actions, and (ii) took down MOVEit Cloud for investigation. In parallel, the engineering team at the Company worked to develop a patch for all supported versions of MOVEit Transfer (including MOVEit Cloud), which was released across all impacted systems on May 31, 2023 and allowed for the restoration of MOVEit Cloud that same day.

Progress has remained fully operational at all times before and after the discovery of the vulnerability and, as of the time of this current report on Form 8-K, has not uncovered evidence of unauthorized activity or impact to products beyond MOVEit Transfer and MOVEit Cloud. As of May 31, 2023, Progress estimates that MOVEit Transfer and MOVEit Cloud accounted for less than 4% of Progress’ annual gross revenue.

Progress has engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the vulnerability. While Progress’ investigation remains ongoing, the Company (i) has and is continuing to implement a series of additional security and related measures aimed at addressing this vulnerability and further strengthening the overall security of the MOVEit application, (ii) has engaged outside legal counsel to conduct a thorough independent investigation of the vulnerability, and (iii) has engaged with federal law enforcement and other federal agencies with respect to the vulnerability.

As the investigation remains ongoing, Progress will continue to assess the potential impact on its business, operations and financial results. Based upon Progress’ assessment of the investigation at this time, the Company currently does not believe that the vulnerability will have a material impact on its business, operations or financial results.

Company Information