The U.S. Securities and Exchange Commission has opened an investigation into the MOVEit vulnerability that has been used to compromise and steal data from thousands of companies and organizations as a Michigan-based bank has become the latest victim.

MOVEit is managed file transfer software offered by Progress Software Corp. that is designed to provide secure and compliant file transfers for sensitive data within and between organizations. A vulnerability in the software discovered earlier this year, officially designated CVE-2023-34362, allows an unauthenticated, remote attacker to send a specially crafted SQL injection to a vulnerable MOVEit Transfer instance.

The number of victims is difficult to keep a tally of, as many compromises involved third-party providers. About 890 universities were affected in a MOVEit attack on the National Student Clearinghouse in September and other victims include the BBC, British Airways Plc and the pharmacy chain Boots UK Ltd., the U.S. Department of Energy, Shell Plc, UnitedHealthcare Student Resources, the University of Georgia, the University System of Georgia, Heidelberger Druckmaschinen AG and Landal Greenparks.

The latest victim, Flagstar Bank N.A., which, along with providing banking services, is also one of the largest residential mortgage servicers in the U.S., disclosed in a breach notification to customers that Fiserv Inc., a vendor it uses for payment processing and mobile banking services, had been compromised. As a result, personal data from 837,390 customers is believed to have been stolen.

Fiserv is a New York Stock Exchange-listed financial technology company that provides services to banks, finance companies and others, including Google LLC and Microsoft Corp. If Fiserv was compromised, the list of MOVEit victims among its customers alone is potentially much bigger than just Flagstar Bank.

News of the SEC investigation into the ongoing attacks came via a SEC disclosure made by Progress Software. In the Oct. 10 filing, the company disclosed that it has received a subpoena from the SEC seeking  “various documents and information” relating to the MOVEit vulnerability.

“The SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security,” the filing added. “Progress intends to cooperate fully with the SEC in its investigation.”

The SEC investigation is not the only issue facing Progress Software over the MOVEit vulnerability. The company also disclosed that it is being sued directly by 23 affected customers and that it has been named in 58 class action lawsuits. Progress further added that it has been cooperating with “several inquiries from domestic and foreign data privacy regulators” and “inquiries from several state attorneys general.”

The SEC so far has not made a public comment on the investigation. That the SEC is only now subpoenaing information suggests that the investigation may be in its early days.

Image: Dwight Burdette/Wikimedia Commons