Files.com's Response to the Security Incident in Competing Software Product MOVEit

We are aware of the recent security breach and zero-day exploit impacting Progress Software’s MOVEit managed file transfer software. This incident became known over the Memorial Day holiday and is continuing now, impacting potentially thousands of businesses and government entities. Evidence suggests this vulnerability may have been exploited as early as March 2023.

First, we want assure our customers that the specific MOVEit exploit has no impact on Files.com.  MOVEit is a competing product in the MFT space, and we do not use the MOVEit product in any capacity.  Files.com is an entirely bespoke platform built using modern coding techniques and best practices.

We are also aware that Microsoft’s Threat Intelligence team has attributed the MOVEit exploit to a threat actor group called Lace Tempest.  Lace Tempest runs the “Clop” extortion site and has been linked to previous attacks against other MFT providers, including Fortra’s GoAnywhere earlier this year, and Kiteworks’s Accellion FTA in 2020.

Our Risk Committee has reviewed the specific threat to MFT providers posed by Lace Tempest and other similar actors, and we take the threat seriously. We are committed to ensuring the confidentiality, integrity, and availability of our customers' data.

We have a comprehensive Compliance and Security webpage which explains in detail the protections, policies, and procedures we have already in place. These include: 

• Regular Penetration Testing: Files.com undergoes third-party penetration testing on at least an annual basis. In addition to other standards, we specifically require our testers to include testing related to the OWASP Top 10 vulnerabilities when conducting testing. The OWASP Top 10 includes testing for a multitude of risks, including injections, cache controls, hijacking, browser weaknesses, etc.  OWASP Top 10 also specifically covers SQL Injection attacks, which was the type of attack used in the MOVEit exploit. 
  
  Download the latest PenTest Completion Letter.
  
• Bug Bounty Program: Files.com also offers the security research community a Security Bug Bounty to encourage security testing by the community at large. This program is run in conjunction with security company HackerOne.  Customers are welcome to participate in the Bug Bounty Program.
  
• Certifications and Audits: Files.com has completed multiple SOC 2 audits, including a recently completed SOC 2 Type II audit.  Contact your Account Executive or Customer Support to obtain the latest SOC 2 report.
  
• Encryption:
  Files.com provides for data encrypted in motion and at rest.
  
  We support 2048-bit SSL encryption for all inbound and outbound FTP and HTTP connections as well as modern SSH encryption for inbound and outbound SFTP connections. Files.com uses SSL for encrypted data in transit which also includes support for TLS.
  
  File contents (including backups) are encrypted at rest using AES-256 with all keys stored in a key-management escrow service operated by AWS.
  
  All access and authentication credentials are stored in an encrypted state, using AES-256 and a random initialization vector.
  
  Custom SSL certificates are provided for free to customers who use their own Custom Domain, or they are free to provide their own from their vendor of choice.
  
  Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.
  
• Automated Vulnerability Scan Testing:
  Files.com undergoes regular automated vulnerability scans. These scans include our external public facing systems and the entire internal network. Any identified vulnerabilities are closed as soon as possible after detection utilizing the existing Patch Management and Change Management processes.
  
  Files.com undergoes automated web application scanning, including for OWASP Top 10 vulnerabilities. Any identified vulnerabilities are closed as soon as possible after detection utilizing the existing development lifecycle processes.
  
• Access Controls and Permissions: 
  Files.com provides world class tools that allow the customer to manage their logical access according to their own policy.
  
  Customers can choose to use local application user/group accounts supporting Role Based Access Control (RBAC) including multiple 2FA options, or provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.

The MOVEit breach serves as another unfortunate reminder of the ever-evolving threat landscape.  We hope that the impact to MOVEit’s customers is able to be minimized as best as possible, and we will continue to monitor the situations with MOVEit and the threats against MFT generally.

At Files.com, we remain dedicated to providing our customers with the highest level of security.  If you have any further questions or concerns, please let us know how we can assist you.