Bank of America and EY Settle MOVEit Breach Claims for $2.5 Million

TL;DR: Bank of America and Ernst & Young agreed to a $2.5 million settlement to resolve claims tied to the 2023 MOVEit data breach. The deal ends litigation over alleged failures to protect personal data exposed through the exploited file‑transfer software.

Context: In late May 2023, attackers exploited a zero‑day SQL injection flaw (CVE-2023-34362) in Progress Software’s MOVEit Transfer web application. The Cl0p ransomware group used the vulnerability to install webshells, exfiltrate data from thousands of organizations, and demand ransom. Bank of America and EY disclosed that customer and employee records were among the data taken, triggering class‑action suits alleging inadequate security controls.

Both firms issued breach notifications to affected customers in June 2023, citing exposure of names, Social Security numbers, and account details. State attorneys general opened investigations, and the SEC filed a disclosure request regarding material cybersecurity incidents.

Key Facts: The settlement amount is $2.5 million, covering both firms’ liability for the breach‑related claims. No admission of wrongdoing was part of the agreement. The MOVEit incident affected over 2,600 entities and exposed roughly 60 million records globally, making it one of the largest supply‑chain cyber events of 2023. Investigators traced the attack to TTPs including T1190 (Exploit Public‑Facing Application), T1059.003 (Windows Command Shell), and T1070.004 (File Deletion) per MITRE ATT&CK.

What It Means: For security teams, the settlement underscores the financial risk of third‑party software vulnerabilities and the importance of rapid patching. Organizations should prioritize applying CISA’s emergency directive for MOVEit, disabling unused HTTP methods, and deploying web‑application firewalls that block SQL injection patterns. Monitoring for webshell indicators (e.g., unexpected ASPX files in MOVEit directories) and enforcing least‑privilege access can limit damage. Regulators may increase scrutiny of vendor‑management programs, so maintaining up‑to‑date inventories and contractual security clauses is advisable.

Defenders can hunt for the Indicators of Compromise shared by CISA, including specific file hashes and registry keys linked to the Cl0p webshell. Implementing network segmentation around file‑transfer servers limits lateral movement if a webshell is deployed.

What to watch next: Watch for additional settlements or regulatory fines as more MOVEit‑affected firms conclude litigation, and monitor whether Progress Software releases further hardening guidance for its file‑transfer suite.