The Progress Software MOVEit Transfer data breach class action represents one of the largest and most consequential corporate cybersecurity failures in recent years. In May 2023, attackers exploited a critical SQL injection vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer file-sharing platform, compromising sensitive personal and financial data for between 67 and 93.3 million individuals worldwide. The breach affected more than 2,500 organizations across healthcare, finance, government, and education sectors—including major banks, pension funds, universities, and hospitals—making it one of the most far-reaching data breaches of the past decade. Hundreds of victims have filed class-action lawsuits against Progress Software, consolidating into a Multi-District Litigation (MDL) in Massachusetts federal court.
As of May 2024, 144 separate class-action lawsuits had been combined into this single MDL, with a federal judge already rejecting Progress Software’s attempts to dismiss negligence, breach of contract, and consumer protection claims. Multiple organizations affected by the breach—including Cadence Bank, Nuance Communications, and Union Bank and Trust—have already reached settlements totaling millions of dollars, offering affected individuals compensation for identity theft protection, credit monitoring, and out-of-pocket losses. If your personal information was compromised in the MOVEit Transfer breach through an affected company, you may be eligible to join one of these class-action lawsuits or claim compensation from an existing settlement. Understanding the breach’s scope, the litigation timeline, and your filing options is essential to recovering damages.
Table of Contents
- What Was the MOVEit Transfer Vulnerability and How Did Attackers Exploit It?
- How Many People and Organizations Were Affected by the MOVEit Transfer Breach?
- Which Types of Organizations and Industries Were Hit Hardest by MOVEit Transfer?
- How Do You File a Claim or Join the MOVEit Transfer Class Action?
- What Compensation and Benefits Are Available in MOVEit Transfer Settlements?
- What Allegations of Negligence Has Progress Software Faced?
- How Does the MOVEit Transfer Breach Compare to Other Major Data Breaches?
- What Is the Current Status of MOVEit Transfer Litigation and What Comes Next?
- Conclusion
What Was the MOVEit Transfer Vulnerability and How Did Attackers Exploit It?
The moveit Transfer vulnerability, tracked as CVE-2023-34362, was a SQL injection flaw in Progress Software’s file-transfer platform that allowed unauthenticated attackers to access and steal sensitive data directly from company databases. Between May 27 and May 31, 2023, the CL0P ransomware group began actively exploiting this known vulnerability, installing a malicious web shell called LEMURLOOT on internet-facing MOVEit Transfer servers. This web shell gave attackers complete access to the underlying database, allowing them to extract customer records, financial information, health data, and personal identification details without triggering traditional security alerts. Progress Software did not publicly disclose the vulnerability until May 31, 2023—four days after CL0P began exploiting it. This delayed disclosure window gave attackers a significant head start to compromise systems before organizations could patch their installations. For many companies using MOVEit Transfer, the attack was already underway before they even learned a vulnerability existed.
Some organizations discovered they had been breached only weeks or months later, after progress Software or law enforcement notified them, meaning affected individuals remained unaware their data had been stolen during this critical window. The exploitation was particularly devastating because MOVEit Transfer is designed specifically to handle highly sensitive file transfers for regulated industries. healthcare providers use it to exchange patient medical records. Financial institutions use it to transmit banking data. Government agencies use it to manage citizen records. The platform’s central role in secure data workflows meant the vulnerability exposed some of the most sensitive categories of personal information—Social Security numbers, medical histories, financial account details, and driver’s license information—all in one attack.
How Many People and Organizations Were Affected by the MOVEit Transfer Breach?
The MOVEit Transfer breach affected between 2,500 and 2,700 organizations worldwide, with more than 80 percent based in the United States. This includes major corporations in healthcare, finance, insurance, pension management, education, and government. The total number of individuals whose data was compromised ranges from 67 million to 93.3 million globally, making it one of the largest data breaches in U.S. history by raw numbers affected. To put this in perspective, if the upper estimate of 93 million individuals is accurate, the MOVEit breach exposed data for roughly one out of every four Americans. A critical limitation in understanding the full scope of the breach is that not all affected organizations have publicly disclosed their involvement or the number of individuals impacted.
Some companies waited months to notify affected parties, while others negotiated confidential settlements that restrict public disclosure of breach details. This means the actual number of affected individuals and organizations may be significantly higher than currently known. Additionally, many individuals may never realize they were part of the breach if the compromised company failed to send timely notification or if notification letters were lost in the mail. The delay in breach notification created additional harm. Individuals whose data was stolen in late May 2023 may not have received notification until July, August, or September of that year—weeks during which their information was already being exploited by criminals. This notification lag is a common complaint in MOVEit Transfer litigation, with class-action filings specifically alleging that Progress Software’s delay in disclosing the vulnerability, combined with companies’ slow notification practices, allowed criminals to use stolen data before victims could take protective action.
Which Types of Organizations and Industries Were Hit Hardest by MOVEit Transfer?
Healthcare organizations and HIPAA-covered entities bore a particularly severe burden from the MOVEit Transfer breach, since patient medical records and protected health information represent some of the most valuable stolen data on the black market. Hospitals, health insurance companies, and healthcare providers that relied on MOVEit Transfer for secure patient records transmission found themselves notifying hundreds of thousands of patients about potential exposure of their most sensitive medical and personal information. Nuance Communications, a major healthcare software company and HIPAA business associate, reached a settlement of $8.5 million specifically addressing the health information exposure resulting from the MOVEit breach. Financial institutions were equally hard-hit, with banks, credit unions, pension funds, and investment firms all reporting data compromise. Cadence Bank settled for $5.25 million after the MOVEit breach exposed customer financial information.
Union Bank and Trust in Nebraska reached a $2.4 million settlement for depositor account details and Social Security numbers that were stolen. Government agencies managing Social Security records, tax information, and veterans’ benefits also suffered significant breaches, creating a compounding risk for millions of individuals whose data exists in multiple datasets across both government and private sector organizations. Educational institutions, including universities and school systems, were also compromised, exposing student records, employee information, and financial data. The sector diversity of affected organizations means that victims of the MOVEit breach may be entirely unaware they were impacted. A person who banked at one of the affected institutions, had their data exposed, but also never checked their mail might not realize they needed to monitor their credit until fraudulent accounts appeared in their name.
How Do You File a Claim or Join the MOVEit Transfer Class Action?
Your ability to file a claim in the MOVEit Transfer litigation depends on which organization exposed your data and whether that organization has settled its MOVEit-related claims or remains involved in pending litigation. For companies that have already reached settlements—such as Cadence Bank, Nuance Communications, or Union Bank and Trust—your claim process typically involves submitting proof that you were a customer or employee of that organization during the breach period, along with any documentation of out-of-pocket losses related to identity theft or fraud resulting from the compromise. The broader MOVEit Transfer MDL consolidated in Massachusetts federal court is still progressing through litigation as of 2024-2025. If your data was breached through an organization not yet settled, you can either wait for settlements to be negotiated or consider joining one of the remaining class-action lawsuits. The tradeoff is that pending litigation typically takes longer—often 2-5 years from filing to settlement—but may result in higher compensation if the class successfully proves Progress Software’s negligence at trial.
Settled claims, by contrast, provide faster compensation but limit recovery to the settlement terms already negotiated. To determine your eligibility and filing deadline, you need to identify which organization exposed your data. Check breach notification letters you received in 2023 or search online for “MOVEit Transfer breach” combined with your bank, employer, or healthcare provider’s name. Filing deadlines for individual claims vary significantly—some settlements have already passed their claim deadlines, while others remain open. Deadlines are typically 6-12 months from the settlement approval date, so delay in filing can mean forfeiting your compensation opportunity entirely.
What Compensation and Benefits Are Available in MOVEit Transfer Settlements?
Settled claims in the MOVEit Transfer litigation typically provide two years of complimentary credit monitoring and identity theft protection services—a benefit worth between $150-300 annually for affected individuals. Beyond monitoring, settlements generally offer compensation for documented out-of-pocket losses up to $2,500 for ordinary losses (such as credit report monitoring costs, time spent resolving fraud issues, or phone calls to dispute unauthorized charges) and up to $10,000 for extraordinary losses (such as stolen funds, fraudulent loans taken in victims’ names, or significant identity theft recovery expenses). A significant limitation of settlement compensation is that it requires documentation. You cannot simply claim “I’m worried about identity theft” and receive the maximum $10,000. Instead, you must submit receipts, credit card statements, dispute letters, or other proof that you actually incurred specific losses traceable to the MOVEit breach.
This creates a substantial burden for many victims, particularly those who didn’t discover fraud immediately or who experienced lower-level impacts like credit score damage that are difficult to quantify monetarily. Additionally, settlement agreements typically cap total class-wide payouts, meaning that if many victims submit large claims, all payouts may be reduced proportionally. The compensation structure also fails to account for long-term identity theft risks. While a stolen Social Security number or full name-and-address combination can be exploited for years—enabling someone to open new credit accounts, file fraudulent tax returns, or commit medical identity theft—the settlement’s two-year credit monitoring period ends relatively quickly. Once the monitoring period expires, victims bear the cost of ongoing credit surveillance themselves, despite the ongoing risk created by the breach.
What Allegations of Negligence Has Progress Software Faced?
Progress Software stands accused in multiple lawsuits of failing to implement basic secure software design practices for a platform specifically intended to handle highly sensitive data transfers. The core allegation is that the company knew or should have known that SQL injection vulnerabilities were among the most common and dangerous attack vectors in file-transfer systems, yet failed to implement adequate input validation and parameterized query protections against such attacks. For a company claiming to provide “secure file transfer,” failing to prevent SQL injection represents a fundamental failure in the platform’s core security mission. Additionally, the litigation alleges that Progress Software delayed patching the vulnerability after becoming aware of it. The May 31 disclosure date suggests the company had some advance notice of the flaw before CL0P began exploiting it, yet the vulnerability apparently remained unpatched and unannounced until that date.
The days-long gap between when Progress Software likely discovered the flaw and when it publicly disclosed and released a patch gave attackers a critical window to compromise thousands of systems. Furthermore, the lawsuits allege that Progress Software was slow to proactively notify customers whose systems had been breached, instead waiting for law enforcement or affected individuals to bring breaches to the company’s attention. These negligence claims form the foundation of the litigation in Massachusetts federal court. In July 2025, the federal judge overseeing the MDL rejected Progress Software’s motions to dismiss, allowing negligence claims, breach of contract claims, unjust enrichment claims, and consumer protection violations to proceed toward trial or settlement. This ruling significantly strengthens the negotiating position of plaintiffs’ attorneys, suggesting the company faces substantial legal liability for its security failures.
How Does the MOVEit Transfer Breach Compare to Other Major Data Breaches?
The MOVEit Transfer breach ranks among the largest data breaches by volume of affected individuals, but the potential harm is amplified by the type of data stolen. The 2013 Target breach compromised approximately 40 million payment cards; the Equifax breach in 2017 exposed Social Security numbers and personal details for 147 million individuals. The MOVEit Transfer breach, with its 67-93 million affected individuals and its focus on stealing direct database contents including healthcare, financial, and government data, falls squarely in the category of catastrophic breaches comparable to Equifax.
What distinguishes MOVEit Transfer is that it affected multiple organizations simultaneously through a single compromised platform. Rather than a breach of one company’s database, the vulnerability created a “supply chain” breach where a software provider’s flaw cascaded across thousands of customer organizations. This means affected individuals may have experienced multiple exposures—for example, a person whose Social Security number was stolen via both their healthcare provider’s compromised MOVEit server and their bank’s compromised MOVEit server. The litigation reflects this multiplied harm, with the MDL structure allowing victims to sue Progress Software directly rather than being limited to pursuing individual companies.
What Is the Current Status of MOVEit Transfer Litigation and What Comes Next?
As of 2025, the MOVEit Transfer MDL in Massachusetts continues progressing toward resolution. Several major organizations have already settled, but dozens of pending cases remain active, with total exposure potentially exceeding hundreds of millions of dollars for Progress Software. The company’s exposure increased substantially after the July 31, 2025 court ruling denying its motions to dismiss—a decision that indicated the court found the negligence and consumer protection claims legally sufficient to proceed, raising the likelihood of additional substantial settlements or potential trial verdict. Looking ahead, several outcomes are likely.
Additional organizations affected by the breach may settle in the coming months, offering new compensation opportunities for affected individuals. The consolidated MDL is also likely to move toward global settlement negotiations, where Progress Software and the plaintiffs’ steering committee could agree to a company-wide resolution covering multiple outstanding cases. Progress Software’s remediation efforts and public commitments to security improvements may factor into these negotiations, as may the company’s insurance coverage limits. For affected individuals, the key is to monitor settlement announcements and ensure you file claims before deadlines pass—some settlements have already closed their claim windows, making immediate action essential for any still-open cases involving organizations that exposed your data.
Conclusion
The Progress Software MOVEit Transfer data breach represents a massive failure in corporate cybersecurity responsibility that has harmed tens of millions of individuals worldwide. The combination of a critical unpatched vulnerability, delayed disclosure, and broad exploitation across 2,500+ organizations created one of the largest and most impactful data breaches in recent history. Federal courts have rejected Progress Software’s efforts to dismiss negligence claims, signaling that victims likely have substantial legal recourse.
If you were affected by the MOVEit Transfer breach, take action now to determine which organization exposed your data, identify any available settlements, and file your claim before deadlines pass. The combination of credit monitoring services and potential compensation for out-of-pocket losses can provide meaningful recovery, but only if you actively pursue your claim. For additional guidance on your specific situation, consult with a qualified attorney specializing in data breach litigation.