Microsoft's Nuance coughs up $8.5M to rid itself of MOVEit breach suit
(2025/08/18)
- Reference: 1755533053
- News link: https://www.theregister.co.uk/2025/08/18/nuance_lawsuit/
- Source link:
Microsoft-owned talk-to-text outfit Nuance has agreed to cough up $8.5 million to settle a class action lawsuit over the sprawling [1]MOVEit Transfer mega-breach – although it admits no liability.
MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen [2]READ MORE
The proposed [3]deal [PDF], filed in a Massachusetts federal court last week, would draw a line under litigation brought by individuals who claimed that the company failed to properly secure personal information later snatched by attackers exploiting Progress Software's MOVEit vulnerability.
Nuance, best known for its medical transcription and speech recognition systems, was one of hundreds of organizations caught in the blast radius of the Clop ransomware gang's 2023 mass exploitation of MOVEit Transfer. Court filings state that roughly 1.225 million people had their data siphoned from Nuance's MOVEit environment.
The plaintiffs accused Nuance of negligence, arguing that the company could have prevented or at least blunted the incident with "reasonable data security measures." They also pointed the finger at MOVEit developer Progress, claiming that the vendor hadn't made clear to users – including Nuance – that MOVEit wasn't a "set it and forget it" product when it came to securing transfers.
Nuance bristled at those allegations, countering that it couldn't be negligent for relying on a trusted product already deployed by "thousands of businesses and government entities worldwide." The firm stressed that it acted quickly once the flaw became public: taking its MOVEit instance offline, applying patches as Progress released them, and launching its own investigation.
[4]
Court filings also show Nuance planned to argue that negligence couldn't be established because it had no direct contractual relationship with the individuals affected. The data at issue, it said, had been supplied by downstream healthcare providers and custodians. "Nuance denies these allegations and any fault or liability in this matter," the memorandum reads.
[5]
[6]
Despite those repeated denials, Nuance opted to settle rather than roll the dice in court. If approved, the deal will provide payments to affected individuals as well as credit-monitoring services.
The $8.5 million settlement is modest by MOVEit class-action standards, where payouts can stretch into the high single digits or even tens of millions. What really sets Nuance apart is the context: it operates firmly in the healthcare space, where exposed patient data draws extra scrutiny from regulators and the media.
[7]Healthcare group Ascension discloses second cyberattack on patients' data
[8]Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility
[9]Krispy Kreme Doughnut Corporation admits to hole in security
[10]Amazon confirms employee data exposed in leak linked to MOVEit vulnerability
Nuance has consistently characterized itself as a victim, not a culprit, in the Clop campaign, which indiscriminately hoovered up files from exposed MOVEit servers worldwide.
The MOVEit breach has since become one of the most litigated cyber incidents in US history. Progress Software itself faces a swelling docket of lawsuits, while dozens of class actions have targeted its customers. For Microsoft-owned Nuance, this settlement may finally close the book on its MOVEit headache, though the wider fight over liability in supply-chain breaches is still far from settled. ®
Get our [11]Tech Resources
[1] https://www.theregister.com/2023/11/20/moveit_victim_77m_medical/
[2] https://www.theregister.com/2023/11/20/moveit_victim_77m_medical/
[3] https://regmedia.co.uk/2025/08/18/095113124634.pdf
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKOidYc6XxRy2hSBY0teCgAAANI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKOidYc6XxRy2hSBY0teCgAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKOidYc6XxRy2hSBY0teCgAAANI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/05/01/ascension_cyberattack/
[8] https://www.theregister.com/2024/12/16/ransomware_attacks_exploit_cleo_bug/
[9] https://www.theregister.com/2024/12/11/krispy_kreme_cybercrime/
[10] https://www.theregister.com/2024/11/12/amazon_moveit_breach/
[11] https://whitepapers.theregister.com/
MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen [2]READ MORE
The proposed [3]deal [PDF], filed in a Massachusetts federal court last week, would draw a line under litigation brought by individuals who claimed that the company failed to properly secure personal information later snatched by attackers exploiting Progress Software's MOVEit vulnerability.
Nuance, best known for its medical transcription and speech recognition systems, was one of hundreds of organizations caught in the blast radius of the Clop ransomware gang's 2023 mass exploitation of MOVEit Transfer. Court filings state that roughly 1.225 million people had their data siphoned from Nuance's MOVEit environment.
The plaintiffs accused Nuance of negligence, arguing that the company could have prevented or at least blunted the incident with "reasonable data security measures." They also pointed the finger at MOVEit developer Progress, claiming that the vendor hadn't made clear to users – including Nuance – that MOVEit wasn't a "set it and forget it" product when it came to securing transfers.
Nuance bristled at those allegations, countering that it couldn't be negligent for relying on a trusted product already deployed by "thousands of businesses and government entities worldwide." The firm stressed that it acted quickly once the flaw became public: taking its MOVEit instance offline, applying patches as Progress released them, and launching its own investigation.
[4]
Court filings also show Nuance planned to argue that negligence couldn't be established because it had no direct contractual relationship with the individuals affected. The data at issue, it said, had been supplied by downstream healthcare providers and custodians. "Nuance denies these allegations and any fault or liability in this matter," the memorandum reads.
[5]
[6]
Despite those repeated denials, Nuance opted to settle rather than roll the dice in court. If approved, the deal will provide payments to affected individuals as well as credit-monitoring services.
The $8.5 million settlement is modest by MOVEit class-action standards, where payouts can stretch into the high single digits or even tens of millions. What really sets Nuance apart is the context: it operates firmly in the healthcare space, where exposed patient data draws extra scrutiny from regulators and the media.
[7]Healthcare group Ascension discloses second cyberattack on patients' data
[8]Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility
[9]Krispy Kreme Doughnut Corporation admits to hole in security
[10]Amazon confirms employee data exposed in leak linked to MOVEit vulnerability
Nuance has consistently characterized itself as a victim, not a culprit, in the Clop campaign, which indiscriminately hoovered up files from exposed MOVEit servers worldwide.
The MOVEit breach has since become one of the most litigated cyber incidents in US history. Progress Software itself faces a swelling docket of lawsuits, while dozens of class actions have targeted its customers. For Microsoft-owned Nuance, this settlement may finally close the book on its MOVEit headache, though the wider fight over liability in supply-chain breaches is still far from settled. ®
Get our [11]Tech Resources
[1] https://www.theregister.com/2023/11/20/moveit_victim_77m_medical/
[2] https://www.theregister.com/2023/11/20/moveit_victim_77m_medical/
[3] https://regmedia.co.uk/2025/08/18/095113124634.pdf
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKOidYc6XxRy2hSBY0teCgAAANI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKOidYc6XxRy2hSBY0teCgAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKOidYc6XxRy2hSBY0teCgAAANI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/05/01/ascension_cyberattack/
[8] https://www.theregister.com/2024/12/16/ransomware_attacks_exploit_cleo_bug/
[9] https://www.theregister.com/2024/12/11/krispy_kreme_cybercrime/
[10] https://www.theregister.com/2024/11/12/amazon_moveit_breach/
[11] https://whitepapers.theregister.com/
ChoHag
Gee. I wonder what is the purpose of this "Secure File Transfer Program" that's baked into every computer OS except Windows?
Impossible to tell. Such obscure names these computer folk come up with! Oh well we need to transfer some important files, let's find a some charlatans we can pay top dollar to.
Paul Herber
Someone at MS 1: "Secure File Transfer Program", do we have any secure files?
Someone at MS 2: Not any more!
Someone at MS 1: Thought not, scrap that idea then!
/s
Secure managed file transfer software
Is it wise using the one app across government bodies to transfer files. I mean someone might try and hack it /s