MOVEit 2023: $2.7B aggregate, the largest supply-chain breach of the decade.

MOVEit Transfer is a managed file-transfer (MFT) product developed by Ipswitch (acquired by Progress Software in 2019). Its core function is to provide a secure-by-default replacement for legacy FTP, with end-to-end encryption, audit logging, and granular access control for inbound and outbound file transfers between organisations and their partners. The product had been on the market since 2002 and held an estimated 35-40% share of the global managed-file-transfer market by 2023. Customers included approximately 1,700 direct organisations across federal agencies, state and local government, higher education, healthcare, financial services, energy, and large enterprise.

The cascade structure of the eventual breach reflected the cascade structure of file-transfer relationships. A direct MOVEit customer such as the National Student Clearinghouse used MOVEit to transfer transcripts on behalf of 3,600+ affiliated colleges. A direct customer such as a major payroll processor used MOVEit to transfer payroll data on behalf of thousands of employer clients. A direct customer such as a state government department used MOVEit to transfer benefit-program data covering millions of residents. The downstream-affected entities frequently did not run MOVEit themselves but had data flowing through MOVEit at their direct partners. Notification became extraordinarily complex.

By the time the full extent was clear in mid-2024, MOVEit had become the single most consequential supply-chain incident since SolarWinds, and arguably more impactful in terms of aggregate personal-data exposure than SolarWinds (which was primarily a state-sponsored intelligence collection operation rather than mass personal-data exfiltration).

CVE-2023-34362 was a SQL injection vulnerability in MOVEit Transfer affecting all supported versions through 2023.0.0. The vulnerability allowed an unauthenticated attacker to inject SQL commands through the web interface, which Cl0p chained to deploy a web shell (named "LEMURLOOT") for persistent access. The web shell allowed file-system enumeration and download of transferred files, plus exfiltration of MOVEit database credentials.

Cl0p had been exploiting the vulnerability since at least 27 May 2023, four days before public disclosure. The first batch of exfiltration occurred during the US Memorial Day weekend, when affected organisations had reduced staffing for detection and response. Progress Software disclosed the vulnerability on 31 May 2023 with a patch, but the patch was only effective for organisations that applied it immediately. Many MOVEit customers applied patches within days but had already been exploited.

Cl0p's subsequent extortion campaign was unusually structured. Rather than encrypting data and demanding ransom (the typical ransomware playbook), Cl0p ran a pure data-extortion campaign, publishing the names of affected organisations on its leak site and demanding payment in exchange for not publishing the exfiltrated data. The shift from encrypt-and-decrypt to pure data-extortion has since become more common among major ransomware groups.

The full list of affected organisations is published by Cyber Management Alliance and is updated as new organisations confirm exposure. As of mid-2026 the list exceeded 2,700 distinct organisations.

Progress Software's direct cost has been materially lower than the aggregate customer impact. Progress disclosed approximately $20-30M in direct response cost across legal counsel, forensic investigation, and customer-support response during the second half of 2023 and into 2024. Stock-price impact at the disclosure was sharp but short, with shares recovering to pre-disclosure levels within approximately six months as it became clear that the breach was contained at the vulnerability level and that customer churn would be limited (MFT migration is expensive and customers had limited near-term alternatives).

The longer-term Progress exposure runs through downstream-customer litigation. Multiple affected MOVEit customers have filed claims against Progress Software alleging negligence in the design, testing, and security review of the MOVEit Transfer product. The cases are at varying stages in federal and state courts. The aggregate exposure is difficult to estimate but likely runs into low hundreds of millions of dollars across all matters, with Progress carrying cyber-liability insurance that is expected to cover a substantial portion.

The SEC opened an inquiry into Progress's disclosure practices in mid-2023, focusing on the timing and accuracy of public statements during the disclosure window. As of mid-2026 the SEC inquiry remains open without a public action. The case is being watched closely as a potential follow-on precedent to the SEC's SolarWinds action.

The MOVEit incident has driven a sector-wide re-evaluation of managed file-transfer architecture. Three observable shifts have emerged. First, enterprise customers are demanding zero-trust deployment models for MFT (where the MFT product cannot itself decrypt customer data without explicit per-transfer key release from the customer). Second, demand for direct cloud-native file-transfer alternatives (Snowflake Data Sharing, Databricks Delta Sharing, native cloud-provider object storage with cross-account access) has grown sharply, reducing reliance on standalone MFT products. Third, MFT-product evaluation criteria now include explicit assessment of the vendor's vulnerability-response track record, not just feature parity.

Progress itself has responded with substantial investment in MOVEit security architecture, including the launch of MOVEit Cloud with managed security controls and a public commitment to coordinated vulnerability disclosure with the cybersecurity research community. The post-MOVEit Progress security posture is materially stronger than the pre-MOVEit posture. Whether that is sufficient to retain customers in the post-incident competitive environment is the central question for Progress as a business through 2026 and 2027.