MOVEit Cyberattack Suits Could Get a Framework

News June 20, 2024 at 02:10 PM
Share & Print

A hooded hacker uses a computer.

The software company at the center of the vast swarm of MOVEit file transfer system cyberattack litigation has proposed a framework for sorting the many federal lawsuits.

The federal courts have already centralized more than 100 MOVEit cyberattack cases under U.S. District Judge Allison Burroughs of the U.S. District Court for Massachusetts, and the courts are continuing to send "tag-along cases" her way.

Progress Software has suggested dividing the MOVEit Customer Data Security Breach cases into three main tracks, according to a document filed with the court:

  • A corporate track for Progress Software and Ipswitch, the subsidiary in charge of MOVEit.
  • A track for direct MOVEit users, such as Johns Hopkins University, Unum and Charles Schwab.
  • A track for vendors that were using MOVEit to administer their own institutional customers' business. This track includes organizations such as Pension Benefit Information and TMG Health.

The proposed vendor track would have two main branches.

One branch could consist of vendor contracting entities, or companies like Jackson, MassMutual and Prudential that were the customers of the MOVEit vendors, and that were sued along with the vendors.

The other branch could consist of "vendor contracting entity customers," or MOVEit vendor customers that were sued without the vendors themselves being sued. The list of such customers that were sued without the vendors being sued are Continental Casualty, Lumico Life, Standard Insurance and Puritan Life.

The litigation is the result of successful efforts by the Cl0p ransomware organization to hack into systems supporting MOVEit sometime around May 2023.

What it means: Where you and your clients fit in the MOVEit litigation could affect what kinds of compensation and support services are available, or when any compensation actually gets paid, because some defendants could come under different state laws, be more aggressive than others, settle more quickly than others or have more resources than others to be used to compensate plaintiffs.

The Cl0P attack: Members of TA505, the group that spawned the Cl0p team, appear to speak Russian and are likely based in Russia or a country that's a member of the Commonwealth of Independent States, according to the Canadian Centre for Cyber Security.

Many financial services companies use MOVEit to administer the big, sensitive pools of data they use to run their businesses.

Because the MOVEit system has been so popular, the Cl0p attack on the system affected more than 26 million people associated with U.S. life insurers, annuity issuers and pension plan service providers.

Progress Software has repeatedly emphasized that it patched the software vulnerability involved in the attack as soon as it learned about it.

Multidistrict litigation: The federal courts developed the multidistrict litigation system in 1968.

The goal was to help parties involved in big clusters of similar lawsuits to save time and money and increase the odds that parties with roughly the same issues would receive roughly the same treatment.

Burroughs is supposed to try to help the parties involved in federal MOVEit suits combine as much of the pretrial action for their cases as possible,

MOVEit cases that are dismissed or settled in the Massachusetts court could end there.

If any of the parties want to go to trial and are allowed to do so, the trials are likely to take place in the courts where the cases started.

Some observers have argued that the multidistrict litigation process tends to favor efficiency for the defendants over the interests of the plaintiffs.

Supporters of the MDL strategy contend that it makes handling cyberattack incidents with many plaintiffs possible, and that using an ordinary litigation process for the attacks would overwhelm the courts.

The federal courts are handling the cyberattack litigation while facing cyberattacks on their own operations: The courts' security systems blocked about 200 million known harmful events in 2023, according to a budget request document.

Credit: Sergey Nivens/Adobe Stock

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center