Introduction

The MOVEit data breach, resulting from a vulnerability in the file transfer software created by Progress Software, had far-reaching consequences across multiple industries, including government and healthcare. CL0P, a notorious cybercrime group, exploited the vulnerability identified as CVE-2023-34362 to execute a SQL injection attack, targeting sensitive systems used by major organizations. The breach compromised massive amounts of personally identifiable information (PII), impacting millions of individuals. With the attack coinciding with a period of reduced IT staffing, the attackers were able to exfiltrate data undetected, which led to severe financial, legal, and reputational damages. This incident underscores the critical importance of proactive cybersecurity measures and the consequences of failing to address vulnerabilities promptly.

Background

MOVEit is a file transfer program designed and created by Progress Software, a technology company headquartered in Massachusetts. The cybercrime group responsible for exploiting MOVEit was CL0P, a Russian-speaking hacking organization. The vulnerability in MOVEit was identified in May 2023, with the breach being discovered shortly before the U.S. Memorial Day holiday weekend.

Although Progress Software primarily served the technology sector, the breach extended far beyond, affecting government entities and the medical industry, including institutions like Johns Hopkins. The main vulnerability involved the MOVEit software itself, which is commonly used by government agencies and large enterprises to securely transfer files.  Notable agencies with data that was compromised comprised of two DOE entities: Oak Ridge Associated Universities and the Waste Isolation Pilot Plant.

The timing of the incident played a significant role, as it occurred shortly before a major U.S. holiday. During this period, IT staffing was typically reduced, which likely contributed to the attackers’ ability to exfiltrate data without immediate detection.

Breach/Compromise

CL0P has a history of conducting cyberattacks against organizations by leveraging ransomware within their systems. The group typically uses exfiltrated data by posting it to TOR through its CL0P^_-LEAKS website. In the case of the MOVEit Transfer vulnerability, identified as CVE-2023-34362, CL0P was able to exploit a SQL injection zero-day attack to gain unauthorized access.

The primary systems targeted were servers, as this is where the vulnerability could be exploited most effectively. The attacks focused on financial institutions, government agencies, and healthcare providers, where sensitive data was most valuable.

Due to the nature of the targeted systems, the primary data exfiltrated included personally identifiable information (PII), such as full names, addresses, financial information, and Social Security numbers. Reports indicate that over 2,700 entities and approximately 93.3 million individuals were affected by the breach. To conduct the exfiltration, the attackers used the LEMURLOOT web shell, which allowed them to securely package and export sensitive database records. The data exfiltration typically occurred over HTTP or HTTPS protocols to minimize detection.

Impact

The primary data compromised in the breach was personally identifiable information (PII), which includes sensitive details that can lead to identity theft and a range of other severe consequences, such as fraud. When PII is stolen, it can result in various criminal activities, including impersonation, social engineering attacks, the sale of data on the dark web, account takeovers, and even blackmail, especially when the stolen data is of an embarrassing nature. The financial impact on businesses was substantial, with ORX.org estimating the overall cost at $12.15 billion. However, only $20 million in actual losses were reported by companies that were able to quantify the data loss. In response to the breach, class action lawsuits were filed against Progress Software, and the Securities and Exchange Commission (SEC) launched its standard investigation into incidents like this.

In addition to the corporate response, civil lawsuits have been filed by various parties. On behalf of consumers, class actions are ongoing, seeking compensation for individuals whose personal data was stolen. Commercial entities that suffered significant reputational or financial losses due to the breach have also pursued legal action. As of early 2025, while no major lawsuits have been finalized by government agencies such as the Federal Trade Commission (FTC), investigations are still active, and regulatory scrutiny surrounding Progress Software has intensified significantly.

Lessons Learned

Although the MOVEit vulnerability was identified under CVE-2023-34362, some systems had already been exploited before its discovery. When the vulnerability was first identified, there were no immediate tested or reasonable patches in place. While many organizations could have successfully patched their systems if they had been proactive in addressing vulnerabilities, it was clear that not all organizations had performed sufficient vulnerability scans or engaged skilled IT teams for timely patching.

To prevent the breach, affected businesses could have taken several actions. A faster detection of the zero-day exploit through more aggressive anomaly detection could have shortened the window of exploitation. Additionally, conducting regular external security audits and penetration testing by cybersecurity firms might have helped identify the SQL injection vulnerability earlier. Moreover, although MOVEit encrypted data during transfer, the addition of encryption for data at rest could have further reduced the impact of the breach.

While the issue wasn’t primarily cryptographic, employing stronger database encryption and implementing field-level encryption could have mitigated damage from the SQL injection attack. Progress Software, as a company, generally adhered to common industry practices; however, the presence of a critical SQL injection vulnerability suggests that secure coding practices, such as those recommended by OWASP, were not fully implemented.

Organizational security policies play a crucial role in preventing breaches by driving proactive measures, including secure coding guidelines, vulnerability management, penetration testing, and incident response planning. Without strong and enforced policies, critical vulnerabilities can remain unnoticed and unpatched until they are exploited.

Conclusion

The MOVEit breach highlights significant lessons for businesses regarding cybersecurity preparedness and response. The exploitation of a zero-day vulnerability demonstrates the risks organizations face when vulnerabilities are not patched swiftly or thoroughly. Strengthening detection systems, performing regular external security audits, and employing robust encryption practices could have mitigated the impact. Additionally, this breach emphasizes the importance of enforcing comprehensive security policies within organizations, from secure coding guidelines to incident response plans. As regulatory scrutiny increases, companies must learn from this event to prevent similar breaches, ensuring better protection for sensitive data and reducing the risks of financial and reputational harm.

References

Maryland Health Care Commission. (2025, April 17). Breach spotlight report. https://mhcc.maryland.gov/mhcc/pages/home/meeting_schedule/documents/presentations/2025/20250417/ag5_breach_spotlight_rpt.pdf

Cybersecurity and Infrastructure Security Agency. (2023, June 7). #StopRansomware: CL0P ransomware gang exploits MOVEit vulnerability (AA23-158A). https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf

Traynor, O. (2024, April 2). The dangers of compromised credential leaks: What is PII? CybelAngel. https://cybelangel.com/the-dangers-of-compromised-credential-leaks/

ORX News. (2024, January). MOVEit transfer data breaches Deep Dive. https://orx.org/resource/moveit-transfer-data-breaches#:~:text=Total%20costs%20of%20USD%2020,up%20to%20USD%2012.15%20billion.

SOCRadar Cyber Intelligence Inc.. (2023, September 13). Top 10 facts about MOVEit breach. https://socradar.io/top-10-facts-about-moveit-breach/

It all begins with an idea. Maybe you want to launch a business. Maybe you want to turn a hobby into something more. Or maybe you have a creative project to share with the world. Whatever it is, the way you tell your story online can make all the difference.

Don’t worry about sounding professional. Sound like you. There are over 1.5 billion websites out there, but your story is what’s going to separate this one from the rest. If you read the words back and don’t hear your own voice in your head, that’s a good sign you still have more work to do.

Be clear, be confident and don’t overthink it. The beauty of your story is that it’s going to continue to evolve and your site can evolve with it. Your goal should be to make it feel right for right now. Later will take care of itself. It always does.

It all begins with an idea. Maybe you want to launch a business. Maybe you want to turn a hobby into something more. Or maybe you have a creative project to share with the world. Whatever it is, the way you tell your story online can make all the difference.

Don’t worry about sounding professional. Sound like you. There are over 1.5 billion websites out there, but your story is what’s going to separate this one from the rest. If you read the words back and don’t hear your own voice in your head, that’s a good sign you still have more work to do.

Be clear, be confident and don’t overthink it. The beauty of your story is that it’s going to continue to evolve and your site can evolve with it. Your goal should be to make it feel right for right now. Later will take care of itself. It always does.

It all begins with an idea. Maybe you want to launch a business. Maybe you want to turn a hobby into something more. Or maybe you have a creative project to share with the world. Whatever it is, the way you tell your story online can make all the difference.

Don’t worry about sounding professional. Sound like you. There are over 1.5 billion websites out there, but your story is what’s going to separate this one from the rest. If you read the words back and don’t hear your own voice in your head, that’s a good sign you still have more work to do.

Be clear, be confident and don’t overthink it. The beauty of your story is that it’s going to continue to evolve and your site can evolve with it. Your goal should be to make it feel right for right now. Later will take care of itself. It always does.