All active MDLs
MDL 3083Data Privacy & Security

MOVEit Customer Data Security Breach Litigation

The causation theory behind the MOVEit data breach centers on a zero-day vulnerability in the MOVEit Transfer software, a managed file transfer application. This flaw allowed attackers, notably the Cl0p ransomware group, to execute remote code and escalate privileges, leading to unauthorized access and exfiltration of sensitive data. The breach was facilitated by a flaw in input validation, enabling malicious requests to bypass security controls. The exfiltration mechanism involved covert channels within the software’s data transfer processes, siphoning off personal identifiable information (PII), financial data, and confidential corporate data. This direct exploitation caused harm by exposing victims to identity theft, financial fraud, and privacy violations, with expert analyses confirming the causal link between the software vulnerability and the data compromise.

MAU.S. District Judge Allison D. BurroughsMaster docket 1:23-md-3083Source: JPML · Updated July 1, 2026

240

Pending actions

352

Total actions filed

Active

Status

10/04/2023

Established

Filing deadline

No specific filing deadlines or statutes of limitations are explicitly stated in the court orders for MDL-3083. Typically, the applicable statute of limitations for data breach claims in the United States ranges from 2 to 4 years from the date of discovery, with Massachusetts law generally allowing three years from discovery for such claims.

Who qualifies

Plaintiffs qualify if their data was affected by the breach, demonstrated by notification or proof of exposure during the breach period, typically starting around May 2023. Affected data types include names, addresses, Social Security numbers, financial account information, and other PII. Plaintiffs must establish that their data was compromised during the breach window and that they suffered harm such as financial loss, identity theft, or emotional distress.

Products involved

  • MOVEit Transfer software

Alleged injuries

  • Identity theft and fraud due to leaked personal data
  • Financial losses from fraudulent transactions and remediation costs
  • Emotional distress, anxiety, and loss of privacy
  • Reputational harm and loss of trust for affected organizations

Bellwether trials

As of March 23, 2026, there are no publicly available updates on the bellwether trial schedule or recent verdicts for MDL-3083. The case remains in pre-trial stages with no announced trial dates or selections, according to court docket entries and legal news sources.

Settlement landscape

Recent settlements include a $5.25 million settlement for Cadence Bank, and settlements of $8.5 million each for Nuance Communications and Microsoft. Larger class actions have seen settlements up to $20 million, with ongoing negotiations and preliminary approvals indicating potential for substantial future settlements or verdicts.

Lead counsel

  • E. Michelle Drake (Berger Montague)
  • Karen Riebel (LockLaw)

This page is generated from the official JPML pending-MDL report and public court records, refreshed monthly. It is provided for attorney reference and is not legal advice.

MDL Match

Your next intake could have a mass tort hiding in it.

Screen it against 158+ active MDLs. Takes under 60 seconds.

Start matching now