- Key insight: The preliminary $2.4 million settlement highlights the indirect liability banks face when third-party or fourth-party software vendors experience massive security failures.
- What's at stake: Victims of the Union Bank and Trust breach face ongoing risks of identity theft and can claim up to $10,000 for extraordinary financial losses stemming from the incident.
- Supporting data: The massive May 2023 MoveIt breach impacted 2,773 organizations and nearly 95.8 million individuals globally.
Overview bullets generated by AI with editorial review
A family-owned Nebraska bank agreed this month to pay nearly $2.4 million to resolve class action claims stemming from the massive May 2023 MoveIt data breach.
Union Bank and Trust Company reached the agreement after customers claimed in multiple lawsuits that cybercriminals exposed their personal identifying information by exploiting a vulnerability in a popular file-transfer software, according to a March 3 court filing.
Judge Allison D. Burroughs of the U.S. District Court for the District of Massachusetts granted preliminary approval of the settlement on March 9.
The Union Bank and Trust agreement represents a milestone in broader litigation over the 2023 MoveIt breach, in which hackers exploited a software flaw and broke into 2,773 organizations, according to cybersecurity firm Emsisoft, including at least 60 banks and credit unions across the U.S.
For bankers, the resolution highlights the liability financial institutions face when software products, including widely used ones, fail to secure sensitive customer data.
The original exploit and culprits
The breach originated from MoveIt Transfer (stylized MOVEit), a widely used file-transfer program developed by Massachusetts-based Progress Software.
In May 2023, cybercriminals exploited a so-called zero-day flaw — a security gap previously unknown to the software's developer — in the MoveIt code.
The flaw involved an "unauthenticated SQL vulnerability" that allowed outsiders to escalate their system privileges and infiltrate users' servers, according to a March 3 court filing requesting approval of the class action settlement.
A Russian cybercriminal group known as CL0P, or TA505, took responsibility at the time for the attack.
The ransomware gang used the software vulnerability to sneak into the servers of Progress Software's customers. Once inside, the hackers gained unauthorized access to customer environments, ultimately copying, and stealing the sensitive information stored therein.
How the breach affected banks and the public
While some of the affected banks used the software directly, many were breached through their tech partner's tech partners — not a third-party vendor, but a fourth-party, fifth-party, and so on. Cybercriminals stole data from these banks indirectly through vendors that used the software for services such as payment processing and check clearing.
In the Union Bank and Trust case, the breach exposed the personally identifiable information (PII) of 204,291 people, according to the March 3 court filing.
The software vulnerability allowed the ransomware gang to steal data from 2,773 organizations and nearly 95.8 million individuals globally, according to a June 2024 analysis by cybersecurity firm Emsisoft. Financial and professional services represented 13% (roughly 360) of the total number of affected organizations.
Key defenses and judgments
Union Bank and Trust strongly denied any negligence or wrongdoing, arguing that it should not be held responsible for a defect in a widely used file-transfer program.
The bank "argues that it cannot have been negligent in using a trusted software product used by thousands of businesses and government entities worldwide," according to the March 3 filing.
Before agreeing to settle, the bank and other defendants tried to get the lawsuits thrown out by arguing the plaintiffs had not suffered actual, concrete harm.
However, in December 2024, Judge Burroughs largely denied those requests, ruling that the victims faced a substantial risk of future harm from the stolen data and determining that most of the victims "have standing to pursue their claims."
The bank also tried to dismiss the lawsuit by invoking a federal rule designed to keep local controversies out of federal court, arguing that the dispute primarily involved a Nebraska bank and Nebraska residents. Burroughs denied that request on the same day.
Details of the settlement benefits
Under the preliminary agreement, the bank will pay nearly $2.4 million into a settlement fund. Notably, the agreement does not release claims against Progress Software, allowing victims' to continue pursuing damages from the creators of MoveIt.
Victims who do not wish to document their financial harm can claim a $100 "alternative cash payment," which the settlement administrator will adjust proportionally based on the total number of claims submitted.
Victims with documented out-of-pocket expenses can claim reimbursement for ordinary losses up to $2,500, including up to $100 in lost time. Victims who suffered severe financial hardships resulting directly from the breach can claim reimbursement for extraordinary losses up to $10,000.
Additionally, all victims can enroll in two years of free credit monitoring and identity theft protection services regardless of whether they submit cash claims.
Following her March 9 preliminary approval of the settlement, Burroughs scheduled a final fairness hearing for August.
The 'extremely complex' sprawl
The settlement represents just one piece of the sprawling multidistrict litigation. Other institutions have reached similar agreements to resolve claims stemming from the software vulnerability.
For instance, Cadence Bank agreed to pay $5.25 million into a settlement fund to resolve its respective class action claims.
The court also approved a settlement with Bank of Canton in October 2025 and scheduled a final approval hearing for a Nuance Communications settlement for this month.
The overall financial toll of the MoveIt vulnerability could be catastrophic. Based on IBM's estimate that a data breach costs an average of $165 per leaked record, the global MoveIt breach could carry an economic cost of more than $15.8 billion, according to the June 2024 analysis by Emsisoft cybersecurity analyst Zach Simas.
Simas noted that the sprawling nature of the incident highlights the steep challenges of securing data across interconnected third parties.
The sprawl of MoveIt incidents "is extremely complex, with some organizations being impacted because they used a vendor which used a contractor which used a subcontractor which used MoveIt," Simas wrote in his analysis.
