One of those security breaches that continues to result in legal settlements three years after the initial compromise is the 2023 MOVEit hack. Throughout the spring and summer of 2023, the Cl0p ransomware group took use of a weakness in Progress Software’s MOVEit Transfer application, which is used by thousands of enterprises to transfer sensitive files.
The list of impacted organizations resembled a directory of all businesses that deal with personal information, including banks, governmental organizations, academic institutions, healthcare networks, and accountancy firms. Among them were Ernst & Young and Bank of America, who collaborated on specific customer-related procedures. The multidistrict lawsuit that resulted from the breach notifications sent to almost 200,000 impacted people has been settled for $2.5 million this year.
| Bank of America MOVEit Settlement — Key Information | Details |
|---|---|
| Defendants | Bank of America, Ernst & Young (EY) |
| Settlement Amount | $2.5 million |
| Underlying Breach | MOVEit Transfer software vulnerability |
| Breach Date | May 2023 |
| Affected Individuals | Nearly 200,000 |
| Lost Time Reimbursement | $25 per hour, up to 4 hours ($100 total) |
| Ordinary Losses Cap | Up to $2,500 |
| Eligible Reimbursements | Bank fees, credit reports, credit monitoring |
| Claim Filing Window | 90 days following Notice Date |
| Final Approval Hearing | Week of June 8, 2026 |
| Litigation Type | Multidistrict litigation (MDL) |
| Vulnerability Vendor | Progress Software |
| Notable Threat Actor | Cl0p ransomware group |
| Reference Resource | Identity Theft Resource Center |
| Federal Reference | CISA MOVEit advisories |
The settlement’s structure adheres to the well-known model for class actions involving data breaches. Two types of compensation are available to eligible class members, who are those who got a breach notification directly related to the Bank of America and EY MOVEit event. The first pays $25 per hour for up to four hours, with a $100 ceiling, to cover lost time.
This explains the amount of time impacted people spent monitoring statements, freezing credit reports, contacting banks, and handling the practical fallout from having their personal information exposed. Ordinary out-of-pocket losses for verified expenses such as bank fees, credit report costs, and occasionally credit monitoring services are covered under the second category, with a ceiling of $2,500 per claimant.
When the settlement’s logic is applied to the impacted population, it creates the kind of conflict that frequently arises in data breach lawsuits. If everyone files, $2.5 million spread over almost 200,000 people equates to a meager recovery per person.
The real compensation to individuals who do file claims will be higher than what the straightforward division would imply because claim filing rates in these situations often fall between 5% and 15%. After claims close, the math is handled by the settlement administrator. Depending on how the agreement is structured, anything that isn’t paid out usually reverts in several ways.
Most casual spectators are unaware of how important the deadline is. Each class member must file a claim within 90 days of the Notice Date, so the window for any individual is quite small. Claims usually arrive in the form of an email or envelope that resembles the type of notice that most people discard without reading.
The settlement will become legally binding following the final approval hearing, which is due for the week of June 8, 2026. Even though their data was compromised, affected persons who fail to file by their personal deadline are not compensated.
The slow tail of settlements making their way through the legal system has been the larger trend surrounding the MOVEit event. Depending on the size of the impacted population and the particular data categories exposed, different organizations impacted by the same underlying vulnerability have reached settlements at different timeframes and under varying terms.
In the midst of that range is the Bank of America/EY case, which is both significant enough to necessitate multidistrict consolidation and specific enough to settle for $2.5 million instead of the higher sums associated with breaches impacting tens of millions of customers.
It’s difficult to ignore the fact that a large portion of the consumer financial data exposure landscape is still driven by vendor-related breaches. The real information was not taken from the computers of Bank of America. It passed through a third-party software program that is utilized in regular business operations.
Affected clients still have to go through the claim filing process in order to seek compensation for their problems, the settlements are still paid, and the legal liability remains attached. The next batch of breaches will likely determine whether banks tighten their vendor risk management procedures in response to instances like this one or if the settlements just become a regular expense of doing business in 2026.
