MOVEit Customer Data Security Breach Litigation
The causation theory behind the MOVEit data breach centers on a zero-day vulnerability in the MOVEit Transfer software, a managed file transfer application. This flaw allowed attackers, notably the Cl0p ransomware group, to execute remote code and escalate privileges, leading to unauthorized access and exfiltration of sensitive data. The breach was facilitated by a flaw in input validation, enabling malicious requests to bypass security controls. The exfiltration mechanism involved covert channels within the software’s data transfer processes, siphoning off personal identifiable information (PII), financial data, and confidential corporate data. This direct exploitation caused harm by exposing victims to identity theft, financial fraud, and privacy violations, with expert analyses confirming the causal link between the software vulnerability and the data compromise.
240
Pending actions
352
Total actions filed
Active
Status
10/04/2023
Established
Filing deadline
No specific filing deadlines or statutes of limitations are explicitly stated in the court orders for MDL-3083. Typically, the applicable statute of limitations for data breach claims in the United States ranges from 2 to 4 years from the date of discovery, with Massachusetts law generally allowing three years from discovery for such claims.
Who qualifies
Plaintiffs qualify if their data was affected by the breach, demonstrated by notification or proof of exposure during the breach period, typically starting around May 2023. Affected data types include names, addresses, Social Security numbers, financial account information, and other PII. Plaintiffs must establish that their data was compromised during the breach window and that they suffered harm such as financial loss, identity theft, or emotional distress.
Products involved
- MOVEit Transfer software
Alleged injuries
- Identity theft and fraud due to leaked personal data
- Financial losses from fraudulent transactions and remediation costs
- Emotional distress, anxiety, and loss of privacy
- Reputational harm and loss of trust for affected organizations
Bellwether trials
As of March 23, 2026, there are no publicly available updates on the bellwether trial schedule or recent verdicts for MDL-3083. The case remains in pre-trial stages with no announced trial dates or selections, according to court docket entries and legal news sources.
Settlement landscape
Recent settlements include a $5.25 million settlement for Cadence Bank, and settlements of $8.5 million each for Nuance Communications and Microsoft. Larger class actions have seen settlements up to $20 million, with ongoing negotiations and preliminary approvals indicating potential for substantial future settlements or verdicts.
Lead counsel
- E. Michelle Drake (Berger Montague)
- Karen Riebel (LockLaw)
This page is generated from the official JPML pending-MDL report and public court records, refreshed monthly. It is provided for attorney reference and is not legal advice.