Progress Software
PRGS
Information Technology
2
exclusion reasons
1 theme
Progress Software is screened out under 2 exclusion reasons spanning 1 issue category.
This page is part of our public exclusion list — a transparency tool that shows which companies we screen out and why. It is not investment advice, and it is not an accusation. It is a statement of values.
Progress Software is the developer of MOVEit Transfer, a secure file transfer application. In May 2023, a critical zero-day vulnerability in MOVEit was exploited by the Clop ransomware group, leading to one of the most widespread data breaches in history. The incident compromised sensitive data from thousands of organizations globally, including major corporations, government agencies, and universities.
The company faces ongoing legal and regulatory consequences from the breach. A Massachusetts court has rejected Progress Software's motion to dismiss key claims in a consolidated class-action lawsuit, allowing allegations of negligence, breach of contract, and unfair business practices to proceed. While the SEC notified Progress in August 2024 that it did not intend to recommend an enforcement action, the company remains exposed to significant financial damages from these civil suits. The pattern of a major security failure followed by litigation across multiple jurisdictions demonstrates systemic issues in product security and incident response.
Progress Software’s MOVEit Transfer file transfer solution contained a zero-day SQL injection vulnerability that was mass‑exploited by the Clop ransomware group in May 2023. The breach exposed sensitive data across hundreds of organizations, triggering multiple federal class action lawsuits consolidated in the District of Massachusetts. As of September 2025, the court has largely denied Progress Software’s motions to dismiss these claims.
The Securities and Exchange Commission opened a fact‑finding investigation into the incident in October 2023. While the SEC concluded its investigation in August 2024 without recommending enforcement action, the underlying civil litigation alleges that the company’s software security failures enabled widespread harm. This pattern of deploying business‑critical software with a vulnerability that enabled systemic data extraction fits the definition of a rent‑seeking platform that externalizes security costs onto its customers and their communities.
Research Sources
15 organizations
Related Exclusions
Wondering what we do invest in?
The Naughty List
A digest of changes to our exclusion list — new additions, removals, and the evidence behind them. We review the list continuously as new evidence surfaces.
Companies appear on our exclusion list based on our investment judgment — not because they've done anything illegal. This is a difference of values and opinion, not an accusation of wrongdoing. Exclusion does not constitute a recommendation against investing in any company, and absence from the list does not constitute a recommendation to invest.
This information is provided for educational and transparency purposes only and should not be relied upon as investment advice. Data is drawn from independent watchdogs, NGOs, government registries, and Ethical Capital's ongoing research — see Research Sources for the full list.
Ethical Capital LLC is a state-registered investment adviser in Utah (CRD #316032). Registration does not imply a certain level of skill or training.