U.S. securities regulators are delving into the widespread MOVEit hack, which has left the personal information of over 64 million individuals exposed, according to the creators of the affected software.

Progress Software revealed in a recent regulatory filing that it has received a subpoena from the U.S. Securities and Exchange Commission (SEC), requesting "various documents and information" regarding the MOVEit vulnerability. 

“The SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security,” the filing added. “Progress intends to cooperate fully with the SEC in its investigation

In the same filing, Progress assured that it anticipates only a marginal financial impact from the MOVEit mass-hacks, despite the extensive scope of the breach.

The company outlined expenses of $1 million related to the MOVEit vulnerability, accounting for both received and anticipated insurance reimbursements of around $1.9 million.

Nevertheless, Progress cautioned that potential losses may still occur, as 23 affected clients have initiated legal proceedings against the company and are seeking indemnification. Additionally, 58 class action lawsuits have been filed by individuals claiming to be affected.

Although almost half a year has passed since the discovery of the MOVEit zero-day vulnerability, the precise number of affected MOVEit Transfer customers remains uncertain. Cybersecurity firm Emsisoft reports that 2,546 organizations have confirmed being impacted, affecting more than 64 million individuals.

Fresh cases continue to surface. Just last week, Sony acknowledged that over 6,000 employees had their data accessed in an incident related to MOVEit. Flagstar Bank also disclosed that more than 800,000 customer records were pilfered.

In its filing, Progress Software disclosed incurring additional expenses of $4.2 million linked to a distinct cybersecurity incident in November of 2022.

The filing did not divulge specifics about the event. However, John Eddy, a spokesperson for Progress, representing the company through a third-party agency, verified that during that period, Progress Software had identified signs of unauthorized entry into its corporate network, including evidence of certain company data being exfiltrated. The incident was made public in December 2022.

Progress Software has not disclosed the types of data that were accessed or the number of individuals affected. Eddy informed TechCrunch that the company maintained full functionality throughout the 2022 incident, which was unrelated to any "recently reported software vulnerabilities."

The company affirmed that expenses associated with this incident primarily encompassed the engagement of external cybersecurity experts and other incident response professionals. It also noted that it received approximately $3 million in insurance settlements.