Union Bank and Trust Settles MOVEit Breach Claims for $2.39 Million

In late May 2023, attackers exploited a zero‑day SQL injection flaw (CVE‑2023-34362) in Progress MOVEit Transfer software. The Cl0p ransomware group used the vulnerability to exfiltrate files containing names, Social Security numbers and other personal data from dozens of organizations, including Union Bank and Trust. The breach was discovered on May 31, 2023, after unusual outbound traffic was detected.

The settlement provides up to $2,500 for ordinary losses (calculated at $25 per hour for lost time) and up to $10,000 for documented extraordinary losses. Class members who suffered no provable loss may elect a $100 cash payment. All eligible individuals receive two years of three‑bureau credit monitoring and identity theft protection. Claims must be submitted by July 21, 2026; the final approval hearing is set for August 6, 2026.

The case underscores the financial risk of delaying patches for known vulnerabilities in widely used file‑transfer tools. Security teams should prioritize applying CISA’s MOVEit advisory, implementing network segmentation, and monitoring for anomalous SQL queries or large data exports. Regular third‑party vendor assessments and timely patch management can reduce exposure to similar supply‑chain attacks.