What You Need to Know
- The attack on MOVEit may have exposed the personal information of about 26 million U.S. life, annuity and pension users.
- Some parties, included TIAA, wanted their cases considered separately.
- Others, including Genworth, supported centralization.
A judge in Boston will manage the pretrial proceedings for all of the MOVEit-related data breach lawsuits, including the suits naming life and annuity issuers such as Genworth Financial, Prudential Financial and TIAA as defendants.
Judge Karen Caldwell and two other judges on a multidistrict litigation panel ruled last week that Judge Allison Burroughs of the U.S. District Court for the District of Massachusetts should steer the litigation.
The panel knew of 101 actions subject to the centralization order, and Caldwell predicted, in the transfer order announcing the ruling, that more “tag-along” cases will come in. The centralization order does not affect suits filed in state courts.
MOVEit is a popular tool for moving big batches of sensitive data. Cases related to hackers’ attack on MOVEit are important to retirement advisors and their clients because many life insurance, pension and annuity issuers used a vendor relied used MOVEit to manage data. A ThinkAdvisor analysis found that the attack may have affected more than 26 million life, pension and annuity client accounts.
TIAA and other parties could not immediately be reached to comment. Progress Software has emphasized in past statements that it patched the MOVEit vulnerability as soon as it knew of it.
What it means: Many financial services executives and their lawyers will be heading to Burroughs’ court, on Fan Pier in Boston, to figure out how just what the attack did, how exactly it worked, and what they should do to help the people affected and guard against other attacks in the future.
The attack: Cl0p, a Russian group, breached MOVEit systems in May, according to the Cybersecurity and Infrastructure Security Agency, an arm of the U.S. Department of Homeland Security.
Cl0p was able to get the data stored on MOVEit servers. It tried to persuade companies to pay it ransom in exchange for keeping the records secure, and it is believed to have dumped most or all of the data it gathered online in August, according to media reports.
U.S. financial services clients were not the only people affected by the attack. Bert Kondruss, managing director of KonBriefing Research, estimates in his latest MOVEit attack impact update that breach reports show the attacked has affected at least 2,255 organizations and more than 62 million people around the world.
Breach reports suggest that many of the U.S. financial services company records affected included consumers’ names and Social Security numbers.
The litigation: Progress Software owns the business that runs the MOVEit system.