Pension Fund Victim Moves Court to Transfer 10 Related Cases to MOVEit Data Breach MDL

Plaintiff Bruce Bailey, the named plaintiff in Bailey v. Progress Software Corp. and Pension Benefit Information (PBI), moved the JPML to transfer and centralize all related actions to the Minnesota court. The related actions allege Progress Software bears responsibility for a May 28 data breach in which data of over 15 million people was stolen as part of a security breach by Russian ransomware group CL0P. To date, 10 class actions have been filed alleging violations of common and state consumer protection laws, said the motion.

The number of victims in the MOVEit attack number 297 worldwide to date, said research company Kon Briefing's website Wednesday. U.S. victims include investment firms and banks; universities; telecom and technology companies; government agencies; and marketing, law, healthcare and logistics firms.

Progress Software said the MOVEit technical support team received an initial customer support call May 28 indicating “unusual activity,” said a June 5 SEC filing. An investigative team discovered a “zero-day vulnerability” in MOVEit Transfer software that could allow “unauthorized escalated privileges” and access to a customer’s “underlying environment.” The company contacted all MOVEit Transfer and Cloud customers May 30 about the breach and alerted them to remedial actions, said the filing. The engineering team developed a patch for all supported versions of the file transfer software, which was released May 31, it said.

Plaintiff Bailey, a resident of Highland, California, said he was informed June 25 by the California Public Employees Retirement System (CalPERS) that he was a victim of the data breach, said the complaint (docket 0:23-cv-02028). CalPERS announced it was the victim of a hack and exfiltration of sensitive personal information (SPI) involving 770,000 individuals in the pension fund. The total number of individuals affected by the breach as of Bailey’s July 5 filing was “at least 15 million,” it said. Data included social security numbers, former and current employers and names, plus names of spouses, partners and children.

With the stolen information, hackers can carry out criminal acts such as filing fraudulent tax returns, using a person’s credit history, making financial transactions, opening credit card accounts, impersonating victims via mail and email and on social networks, stealing benefits and committing illegal acts, said the complaint.

Bailey brings the action on behalf of all individuals whose SPI was compromised due to PSC's failure to adequately protect their data, warn current and former customers of its “inadequate security practices,” and effectively monitor its platforms, the complaint said. MOVEit software purports to “securely” transfer sensitive information between parties and licenses its software to companies, including PBI, which have access to customers’ sensitive data. “PBI appears to have had control of the server in question that was breached,” alleges the complaint.

PBI indicated it became aware of the breach June 2, but “given the intrinsically critical nature of the security fix, it is highly unlikely" that PBI didn't learn of the compromise later than May 31, “when PSC publicized it,” said the complaint. Such vulnerabilities are "routinely reported to clients before or concurrent with their public announcements, and if PBI did not update their systems for two days following the announcement of the vulnerability, this inaction is clearly negligent," said the complaint.

In addition to negligence, Bailey claims breach of third-party beneficiary contract, unjust enrichment and violation of California’s Unfair Competition Law, Consumer Privacy Act and Business & Professional Code. He seeks for himself and the class orders enjoining defendants from engaging in the stated wrongful conduct, requiring them to encrypt and protect all data collected through the course of business, maintain a comprehensive information security program and educate class members about risks they face as a result of the breach, it said. The suit seeks an award of actual, nominal and consequential damages, plus attorneys’ fees and costs.

PSC didn't comment Wednesday. A data breach notice for PBI's business customers on the company's website says it patched its instance of MOVEit, promptly assembled a team of cybersecurity and privacy specialists, notified federal law enforcement, and contacted affected clients following notification. "Our clients’ and their customers’ privacy is our number one priority and PBI is working diligently with our clients to notify and support impacted individuals," it said.