2023-09-21 PROG Holdings, Inc. Cybersecurity Incident

Page last updated on April 11, 2024

PROG Holdings, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-09-21 16:31:31 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-09-21
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-09-21

PROG Holdings, Inc. filed an 8-K at 2023-09-21 16:31:31 EDT
Accession Number: 0001193125-23-239623

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

ITEM 8.01.

OTHER EVENTS. PROG Holdings, Inc. (the “Company”) today announced that its Progressive Leasing subsidiary (“Progressive Leasing”) recently experienced a cybersecurity incident affecting certain of Progressive Leasing’s systems. Promptly after detecting the incident, the Company engaged leading third-party cybersecurity experts and took immediate steps to respond to, remediate and investigate the incident. Law enforcement was also notified. There has been no major operational impact to any of Progressive Leasing’s services as a result of the incident and the Company’s other subsidiaries have not been impacted. The Company’s investigation into the incident, including identification of the data involved, remains ongoing. Based on preliminary findings from the Company’s investigation, the Company believes the involved data contained a substantial amount of personally identifiable information, including social security numbers, of Progressive Leasing’s customers and other individuals. Progressive Leasing will provide notice to those individuals whose personally identifiable information was involved in the incident, as well as to regulatory authorities, in accordance with applicable laws. While no company can ever eliminate the risk of a cyberattack, the Company has taken, and will continue to take, appropriate steps, working with its third-party cybersecurity experts, to further harden its systems to protect against future incidents. The Company has incurred, and may continue to incur, significant expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by the Company’s cybersecurity insurance, has not been determined. Although the Company is unable to predict the full impact of this incident, the Company does not currently expect that it will have a material effect on the Company’s financial condition and results of operations. Forward-Looking Statements This Current Report on Form 8-K contains statements that constitute “forward-looking statements” within the meaning of the Private Securities Litigation Reform Act of 1995, Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934, each as amended. All statements other than statements of historical fact made herein are forward-looking statements, including, without limitation, statements about the Company’s ongoing investigation, the Company’s beliefs regarding the involved data containing a substantial amount of personally identifiable information of Progressive Leasing’s customers and other individuals, future notifications to those individuals and regulatory authorities, steps the Company is taking to further harden its systems, expenses to be incurred in connection with responding to, remediating and investigating the matter and whether these expenses will be offset by the Company’s cybersecurity insurance and the incident’s effect on the Company’s financial condition and results of operations. The Company has based these forward-looking statements on current expectations and assumptions regarding the incident, which are subject to risks and uncertainties that could cause actual results to differ materially from those expressed or implied in the forward-looking statements. These risks and uncertainties include, but are not limited to, the Company’s ability to respond to and remediate the incident or any future cybersecurity incidents; additional information uncovered during the investigation informing the Company’s assessment of the full impact of the incident; the compromise or improper use of sensitive, proprietary, confidential, financial or personal data or other information resulting in negative consequences such as fines, penalties, or loss of reputation, competitiveness or customers; incremental expenses associated with the Company’s ongoing assessment and investigation of the incident; the nature and scope of any claims, litigation or regulatory proceedings that may be brought against the Company or other affected parties as a result of the incident; the availability of cybersecurity insurance coverage; the potential impact of this incident on the Company’s financial condition and results of operations; the length and scope of any disruptions to Progressive Leasing caused by the incident; and other legal, reputational and financial risks resulting from this or other cybersecurity incidents. Additional risks and uncertainties that may cause actual results to differ materially include the risks and uncertainties listed in the Company’s filings with the Securities and Exchange Commission (the “SEC”), including the Company’s Annual Report on Form 10-K for the fiscal year ended December 31, 2022, filed with the SEC on February 22, 2023. In providing forward-looking statements, the Company is not undertaking any duty or obligation to update these statements publicly as a result of new information, future events or otherwise, except as required by law.
2

Company Information