A cyber attack reported in May that exposed the personal data of millions of Louisiana drivers is creating litigation headaches and potential financial burdens for the company that developed the MOVEit file-transfer software.
The state Office of Motor Vehicles, which uses the Progress Software Corp. technology, was notified May 31 of a vulnerability in its transfer software that allowed an unauthorized party access to drivers’ and others’ personal information. The data included addresses, dates of birth, Social Security numbers, driver’s license numbers, height, eye color and handicap placard data.
Matthew Boudreaux, the OMV’s spokesman, said the office installed the company’s software patch immediately after its release to fix the vulnerability.
“Additionally, the state implemented certain firewall configurations to defend itself against internet traffic from MOVEit's web services,” Boudreaux said in an email to the Louisiana Record.
Louisiana has more than 3.2 million licensed drivers, according to a 2019 tally by the Federal Highway Administration.
The OMV has emailed Louisianans potentially affected by the security breach, provided them with complimentary 12-month identity theft protection from Norton LifeLock and advised them to consider freezing their credit as a precaution.
The MOVEit software is widely used nationwide and worldwide to transfer large computer files.
In a Form 10-Q filed last month with the Securities and Exchange Commission, Progress Software said it incurred minimal second-quarter costs as a result of the security breach, but the company also said the breach had prompted 11 class-action lawsuits filed by those affected by “the exfiltration of data” from MOVEit clients.
“If our products contain software defects or security flaws, it could harm our revenues by causing us to lose customers and could increase our liabilities by exposing us to costly governmental investigations or litigation,” the filing states. “For example, the exploitation of the zero-day MOVEit vulnerability in May 2023 has resulted in government inquiries, a formal law enforcement investigation and private litigation.”
Four MOVEit customers have reported to the company that they intend to seek compensation for harm as a result of the security breach, according to the Form 10-Q that was filed July 7.
A spokesperson for Progress and MOVEit Software told the Record that company officials are working with law enforcement and others to combat increasingly sophisticated cybercriminals who exploit software vulnerabilities.
“We remain focused on supporting our customers by helping them take the steps needed to further harden their environments, including applying the fixes we have released,” the spokesperson said. “We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures.”