Makers of vulnerable apps that are exploited in wide-scale supply chain attacks need to improve software security or face steep fines and settlement fees.
Elizabeth Montalbano Contributor, Dark Reading (August 22, 2023)
Roy Comment great article way to many firms are using “Terms and Conditions on there web sites to try and avoid litigation” Microsoft is a great example, I can name many others that I come in contact with, another example is RackSpace totally hosed the mail world with there security breach Dec 2022. All firms need to be held accountable/and financially for security breaches
A nationwide class-action suit filed against Progress Software in the wake of the massive MOVEit breach could point to additional litigation against software companies whose vulnerable applications are exploited in large-scale supply chain attacks, a legal expert says.
Progress faces claims of negligence and breach of contract, among others, in five nationwide class-action lawsuits filed by consumer-rights law firm Hagens Berman after the Cl0p ransomware gang exploited a critical zero-day flaw in its MOVEit managed file transfer application.
The attack has affected both multinational, high-profile million- and billion-dollar organizations — Shell Oil and British Airways among them — as well as smaller organizations both public and private who deploy MOVEit to exchange sensitive data and large files both internally and externally.
Environments that had vulnerable versions of the software installed exposed sensitive personally identifiable information (PII) of customers, including names, Social Security numbers, birth dates, demographic information, insurance policy numbers, and other financial information.
Hagens Berman claims that in all, Progress has compromised the sensitive personal information of more than 40 million people, and promises that more class actions are on the way as more of the 600 affected organizations come forward.
The suits claim that Progress failed “to properly secure and safeguard personally identifiable information,” thus exposing plaintiffs to “a current and ongoing risk of identity theft” as well as invasion of privacy, financial costs, loss of time and loss of productivity, according to a court filing. Moreover, they face a continued risk that their private information will be misused by criminals.
Depending on how the case proceeds, it could set further precedent for the liability of software providers if and when they fail to fix vulnerabilities in their products before attackers can exploit them and cause data, financial, and other losses for their customers.
Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”