Software Makers May Face Greater Liability in Wake of MOVEit Lawsuit

Makers of vulnerable apps that are exploited in wide-scale supply chain attacks need to improve software security or face steep fines and settlement fees.

A nationwide class-action suit filed against Progress Software in the wake of the massive
MOVEit breach
could point to additional litigation against software companies whose vulnerable applications are exploited in large-scale supply chain attacks, a legal expert says.
Progress faces claims of negligence and breach of contract, among others, in five
nationwide class-action lawsuits
filed by consumer-rights law firm Hagens Berman after the
Cl0p ransomware gang exploited
a critical zero-day flaw in its MOVEit managed file transfer application.
The attack has affected both multinational, high-profile
million- and billion-dollar organizations
—
Shell Oil
and
British Airways
among them — as well as smaller organizations both public and private who deploy MOVEit to exchange sensitive data and large files both internally and externally.
Environments that had vulnerable versions of the software installed exposed sensitive personally identifiable information (PII) of customers, including names, Social Security numbers, birth dates, demographic information, insurance policy numbers, and other financial information.
Hagens Berman claims that in all, Progress has compromised the sensitive personal information of more than 40 million people, and promises that more class actions are on the way as more of the
600 affected organizations
come forward.
The suits claim that Progress failed to properly secure and safeguard personally identifiable information, thus exposing plaintiffs to a current and ongoing risk of identity theft as well as invasion of privacy, financial costs, loss of time and loss of productivity, according to a
court filing
. Moreover, they face a continued risk that their private information will be misused by criminals.
Depending on how the case proceeds, it could set further precedent for the liability of software providers if and when they fail to fix vulnerabilities in their products before attackers can exploit them and cause data, financial, and other losses for their customers.
The cases demonstrate that software vendors need to be more careful in protecting against breaches, says Sean Matt, one of the Hagens Berman partners on the case, says. More breaches are occurring, and more cases are being filed as a result.
Indeed, there is precedence for plaintiffs winning multi-million dollar settlements — some in the hundreds of millions of dollars — when attacks on vulnerable software results in breaches of sensitive data, he says.
Most class-action lawsuits like this settle out of court because smart vendors dont want to be dragged through months of discovery and public trials, acknowledges Willy Leichter, vice president of security firm
Cyware
.
One such case was the
Accellion data breach
, in which the company reached an $8.1 million settlement relating to a zero-day exploit that resulted in a data breach impacting millions of people, says Collin Walke, a cybersecurity and data privacy attorney in Oklahoma City, who previously served in the Oklahoma House of Representatives.
Like other settlements and the MOVEit suits, the Accelion case was based on claims of negligence, breach of contract, and invasion of privacy, among others. Moreover, in ransomware cases like MOVEit, these rewards potentially could be on the higher side if the victim organization opted to pay the ransom, thus driving up
the cost of their losses
.
In the case of MOVEit, Coveware released an analysis recently estimating that the breach could
earn Cl0p up to $100 million
, money that companies may try to recoup through legal action.
It certainly puts software companies on notice that they have exposure if their software is flawed, Walke says. That would be especially true if the company knew about vulnerabilities and did nothing to stop them.
Right now its unclear if this is the case with MOVEit, and as to what exactly Progress is liable for, Walke says. The
software vendor patched
the flaw at the heart of the
Cl0p attacks
on May 31, the same day
the flaw was disclosed
. However, the class-action suits claim the vulnerability had existed since 2021.
The crux of the case, if tried in court, would depend on if Progress was negligent in failing to identify the flaw before it was exploited, as the case claims, thus failing to live up to various responsibilities to customers.
According to plaintiffs, these responsibilities include monitoring and maintaining basic network safeguards; maintaining adequate data retention policies; training staff on data security; complying with industry standards of data security; and encrypting users private information.
If any zero-day exploit can constitute negligence for failure to catch and then patch, then every software company in the world has exposure, Walke says. If, however, negligence requires notice of the zero-day exploit and then failure to act, that narrows the pool of potentially liable companies to only those who had notice of the flaw and ignored it.
Of course, none of this matters if the company decides to settle, which seems likely, especially if cases continue to mount.
A spokesperson from MOVEit says that Progress doesnt comment on pending litigation. Right now, the companys focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have developed, the spokesperson says.
The cases come at a pivotal time as the discussion and potential legislation around software vendor liability heats, and the Biden administration ponders its response. The
National Cybersecurity Strategy
, released by the Biden Administration in March, has acknowledged that under the currently recognized liability paradigm, software vendors are rarely held to account for exploited flaws in their solutions.
Whether under contract, product liability, or common-law negligence theories, software makers to date have been nearly universally successful avoiding meaningful liability, notes Mark Millender, senior advisor, global executive engagement at
Tanium
, a provider of converged endpoint management
The
National Cybersecurity Strategy
proposes a joint effort between the administration, Congress, and the private sector to develop legislation to establish such liability, a process that will take time but is ultimately necessary, he says.
It is critical to address the lack of accountability to drive the market to produce safer products and services while preserving innovation, Millender says.
Software is now integral to so many physical products that the software industry cant claim special immunity because their products are complex or hard to debug, concurs Cywares Leichter. If this suit is successful, it will probably spur more claims against software vendors, but thats the inevitable cost of having software run the world.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Software Makers May Face Greater Liability in Wake of MOVEit Lawsuit