Such flaws are not uncommon. Companies often detect and repair them before cyber criminals exploit them. But not this time. Soon after Progress made its announcement, cybersecurity companies including Boston-based Rapid7 reported that online criminal gangs were already using the security flaw to steal data.

Progress announced Thursday that it had discovered the flaw in its MOVEit software, which is used by companies to swap large amounts of data between servers.

Burlington-based Progress Software discovered a critical security flaw in one of its products last week. Unfortunately, a gang of cyber criminals discovered it first. And now companies are scrambling to repair the damage.

Advertisement

“We have detected attacks going as far back as May 27,” said Caitlin Condon, Rapid7′s senior manager of security research. That’s several days before Progress identified the problem, indicating that the criminals had time to steal large quantities of information.

“We have had multiple cases where several gigabytes of data have been taken,” said Condon.

As of Tuesday afternoon, there were no reports of major US companies being affected by the MOVEit flaw. But several news agencies have reported that a UK payroll processing company called Zellis was breached and that at least three Zellis customers — the BBC, the pharmacy chain Boots, and British Airways — have warned their employees that their personal information may have been stolen. In addition, the government of the Canadian province of Nova Scotia has said that it’s been hit by a MOVEit attack.

A Progress Software spokesperson said the company immediately alerted its customers about the threat, and has patched the software to eliminate it.

A notorious cyber criminal gang called “Clop” has claimed responsibility for the data theft. The gang is believed to be based in Russia and specializes in attacking file transfer programs, which can provide access to huge amounts of sensitive information if successfully breached.

Advertisement

Clop has claimed responsibility for an attack in February on a file transfer company called Fortra and a similar 2020 attack on another file transfer company called Accellion. Both of these little-known companies provide services to giant firms, including consumer products company Procter & Gamble, supermarket chain Kroger, and energy company Shell.

Hiawatha Bray can be reached at hiawatha.bray@globe.com. Follow him on Twitter @GlobeTechLab.