Austin-based software maker SolarWinds is being sued by an investor in the wake of a massive data breach that appears to have affected nearly every level of government, as well as potentially hundreds of private companies.
SolarWinds investor Timothy Bremer is the lead plaintiff in the lawsuit, which accuses the company of violating federal securities law and alleges SolarWinds made “materially false and misleading statements” related to security measures.
The lawsuit, which was filed Monday in U.S. district court, seeks class-action status.
The lawsuit accuses the company, CEO Kevin Thompson and chief financial officer J. Barton Kalsu of making “false and/or misleading” statements in regulatory filings with the U.S. Securities and Exchange Commission in February, May, August, and November of 2020.
News of the cyberattack broke on Dec. 13, with Reuters news service reporting that a sophisticated hacking group backed by a foreign government might have stolen information from U.S. government agencies. The breach appears to have affected nearly every level of government, as well as potentially hundreds of private companies.
The Homeland Security Department’s Cybersecurity and Infrastructure Security Agency has called the hack a grave risk to government and private networks, and experts say the damage will be difficult to detect and undo.
SolarWinds’ Orion software, which was breached in the attack, is used by a range of companies and agencies across all levels of government. As many as 18,000 of SolarWinds 300,000 customers might have been running SolarWinds software which contained a vulnerability that allowed hackers to penetrate various networks.
SolarWinds has released a number of software updates to address the problem. Reuters also reported a possible second breach around the same time in the SolarWinds system, which also has since been patched.
The Washington Post, citing unnamed sources, reported that the attack was carried out by Russian government hackers who go by the nicknames APT29 or Cozy Bear and are part of that nation’s foreign intelligence service. On Tuesday, federal officials from the Cyber Unified Coordination Group, which is made up of the FBI, CISA, Office of the Director of National Intelligence and National Security Agency, confirmed in a statement that the attack is likely Russian in origin.
The lawsuit filed against SolarWinds alleges that company executives knew non-public information about the company’s business, operations and prospects, and oversaw reports, press releases and public filings. The suit alleges the executives made false or misleading statements or failed to disclose the vulnerability in SolarWinds Orion monitoring products and led the company to “suffer significant reputational harm”
“Defendants’ statements about SolarWinds’s business, operations and prospects were materially false and misleading and/or lacked a reasonable basis at all relevant times,” the lawsuit says.
The lawsuit points to a range of allegations against the company, including a report from Reuters in which a security researcher alleged that in 2019 he warned the company he could get into the update server using the password “solarwinds123.”
It also asks a jury to consider whether the company’s stock was artificially inflated from Feb. 24 to Dec. 15. The suit was filed by Kristine Rogers of Dallas-based law firm Steckler Wayne Cochran and also names New York-based Rosen Law Firm on the filing.
In the filing, Bremer said he purchased two shares of the company stock in September, at $19.93 per share and bought 38 shares in October for $21.54 per share. Following the attack, SolarWinds stock dropped $3.93 per share or 17%. As of Tuesday, the stock had dropped to about $14.43 per share. The lawsuit alleges that Bremer and other defendants “suffered significant losses and damages” as a result.
SolarWInds did not directly comment on the lawsuit, but said it is continuing to work with federal law enforcement and intelligence agencies and third-party security experts to investigate the full scope of the attack.
“We are solely focused on helping the industry and our customers understand and mitigate this attack, and quickly released hotfix updates to customers that we believe will close the vulnerability. We have also taken a number of steps to further secure our network and products, including through advanced endpoint detection and monitoring tool,” the company said in a written statement.
Lawsuits aren’t out of the ordinary following a security breach. David Springer, an Austin-based lawyer for Bracewell LLP who specializes in securities litigation including cybersecurity issues, said hundreds of similar lawsuits are filed each year when a company sees a big drop in stock price.
“We’ll probably see more of these is because the crux of the lawsuit isn’t really about the nuances of cybersecurity or some kind of technical negligence or something like that.” Springer said.
Springer said the case could take years to litigate. It’s also likely if other lawsuits are filed against the company, they may be combined, he said.
“I don’t think it’s at all clear that SolarWinds is liable under the securities law, but nobody really knows. A lot of fact discovery will have to happen,” Springer said.
Source: Caller Times