XML 34 R24.htm IDEA: XBRL DOCUMENT v3.24.2
Cyber Related Matters
 6 Months Ended
May 31, 2024
Health Care Organizations [Abstract]  
Cyber Related Matters Cyber Related Matters
November 2022 Cyber Incident

Following the detection of irregular activity on certain portions of our corporate network, we engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the incident. We did not incur costs related to this incident during fiscal year 2024 and do not expect to incur additional costs as the investigation is closed. We incurred net expenses of $1.5 million and $4.2 million related to this incident during the three and six months ended May 31, 2023.

MOVEit Vulnerability

As previously reported, on the evening of May 28, 2023, our MOVEit technical support team received an initial customer support call indicating unusual activity within their MOVEit Transfer instance. An investigative team was mobilized and, on May 30, 2023, the investigative team discovered a zero-day vulnerability in MOVEit Transfer (including our cloud-hosted version of MOVEit Transfer known as MOVEit Cloud). A "zero-day vulnerability" is a vulnerability that has been publicly disclosed and/or exploited (e.g., by an independent researcher or threat actor) before the software vendor has an opportunity to patch it. The investigative team determined that the zero-day vulnerability (the “MOVEit Vulnerability”) could provide for unauthorized escalated privileges and access to the customer’s underlying environment in both MOVEit Transfer (the on-premise version) and MOVEit Cloud (a cloud-hosted version of MOVEit Transfer that we deploy in both (i) a public cloud format, as well as (ii) for a small group of customers, in customer-dedicated cloud instances that are hosted, separate and apart from the public instances of our MOVEit Cloud platform). We promptly took down MOVEit Cloud for further investigation and notified all then-known current and former MOVEit Transfer and MOVEit Cloud customers in order to apprise them of the MOVEit Vulnerability and alert them to immediate remedial actions. In parallel, our team developed a patch for all supported versions of MOVEit Transfer and MOVEit Cloud, which was released on May 31, 2023, and allowed for the restoration of MOVEit Cloud that same day. We continue to assess the potential impact of the MOVEit Vulnerability on our business, operations, and financial results. MOVEit Transfer and MOVEit Cloud represented less than 4% in aggregate of our revenue for the six months ended May 31, 2024.

Litigation and Governmental Investigations

As of the date of the issuance of the financial statements, (i) we have received formal letters from 38 customers and others that claim to have been impacted by the MOVEit Vulnerability, some of which have indicated that they intend to seek indemnification from us related to the MOVEit Vulnerability, (ii) we have received a letter from an insurer providing for notice of a subrogation claim (where the insurer is seeking recovery for all expenses incurred in connection with the MOVEit Vulnerability), which resulted in the filing of a lawsuit in the District of Massachusetts that has since been joined with the MDL (defined below), and (iii) we are party to approximately 144 class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers, which the Judicial Panel on Multidistrict Litigation transferred to the District of Massachusetts for coordinated and consolidated proceedings (the "MDL").

We have also been cooperating with the following inquires and investigations (some of which are further described hereafter): (i) several inquiries from domestic and foreign data privacy regulators; (ii) several inquiries and two formal investigations from state attorneys general; (iii) a formal investigation from a U.S. federal law enforcement agency (as of the date of the filing of this report, the law enforcement investigation that we are cooperating with is not an enforcement action or formal governmental investigation of which we have been told that we are a target); and (iv) a formal investigation from the SEC.

On October 2, 2023, Progress received a subpoena from the SEC seeking various documents and information relating to the MOVEit Vulnerability. As described in the cover letter accompanying the subpoena, at this stage, the SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws, and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security. Progress is cooperating fully with the SEC in its investigation.
On November 3, 2023, the United Kingdom’s Information Commissioner’s Office informed Progress that based upon the information provided, the Commissioner’s Office determined that regulatory action against Progress was not required in relation to the MOVEit Vulnerability.

On December 21, 2023, Progress received a preservation notice from the Federal Trade Commission (the "FTC"), but has not otherwise received a request for information nor is Progress aware of any formal FTC investigation.

On January 18, 2024, Progress received a subpoena from the Office of the Attorney General for the District of Columbia seeking various documents and information relating to the MOVEit Vulnerability. At this stage, the investigation is a fact-finding inquiry, and the investigation does not mean that Progress or anyone else has violated applicable laws. Progress is cooperating fully with the Office of the Attorney General for the District of Columbia in its investigation.

On February 9, 2024, Progress received a subpoena from the Office of the Attorney General for the State of New Jersey seeking various documents and information relating to the MOVEit Vulnerability. At this stage, the investigation is a fact-finding inquiry, and the investigation does not mean that Progress or anyone else has violated applicable laws. Progress is cooperating fully with the Office of the Attorney General for the State of New Jersey in its investigation.

On March 14, 2024, the Office of the Australian Information Commissioner’s Office informed Progress that based upon the information provided, the Commissioner’s Office determined that regulatory action against Progress was not required in relation to the MOVEit Vulnerability.

On May 29, 2024, the Agencia Española de Protección de Datos (the Spanish data protection authority also known as the AEPD) informed Progress that based upon the information provided, the AEPD determined that regulatory action against Progress was not required in relation to the MOVEit Vulnerability.

Expenses Incurred and Future Costs

For the three and six months ended May 31, 2024, we incurred costs of $3.0 million and $4.0 million, respectively, related to the MOVEit Vulnerability. The costs recognized are net of insurance recoveries of $1.9 million. The timing of recognizing insurance recoveries may differ from the timing of recognizing the associated expenses.

We expect to incur investigation, legal and professional services expenses associated with the MOVEit Vulnerability in future periods. We will recognize these expenses as services are received, net of insurance recoveries. While a loss from these matters is reasonably possible, we cannot reasonably estimate a range of possible losses at this time, particularly while the foregoing matters remain ongoing. Furthermore, with respect to the litigation, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved. Also, each of the governmental inquiries and investigations mentioned above could result in adverse judgements, settlements, fines, penalties, or other resolutions, the amount, scope and timing of which could be material, but which we are currently unable to predict. Therefore, we have not recorded a loss contingency liability for the MOVEit Vulnerability as of May 31, 2024.

In addition, we may accelerate or make additional investments in our information technology systems, infrastructure, software products or networks following the MOVEit Vulnerability, however, we currently do not expect such amounts to be material to any fiscal period.

Insurance Coverage

During the period when the November 2022 cyber incident and the MOVEit Vulnerability occurred, we maintained $15.0 million of cybersecurity insurance coverage, which is expected to reduce our exposure to expenses and liabilities arising from these events. As of May 31, 2024, we have recorded approximately $7.0 million in insurance recoveries, of which $2.5 million was related to the November 2022 cyber incident and $4.5 million was related to the May 2023 MOVEit Vulnerability, providing us with approximately $8.0 million of additional cybersecurity insurance coverage under the applicable policy (which is subject to a $0.5 million retention per claim). We will pursue recoveries to the maximum extent available under our insurance policies.