A major tech company with widely-used software was allegedly warned of but failed to fix security vulnerabilities including the use of "solarwinds123" as a password on a public computer server, resulting in devastating security compromises in what one news outlet has called "among the most ambitious cyber operations ever disclosed."
An investor has filed a class action complaint against technology company SolarWinds Corporation after the company’s software was involved in a catastrophic cyberbreach allegedly compromising information security at potentially thousands of organizations worldwide, including Microsoft and U.S. military agencies. According to the complaint, the company knew of serious security vulnerabilities yet failed to correct them or notify customers, and failed to disclose the resulting risks to investors (Azpurua v. SolarWinds Corporation, January 14, 2021).
Cyberbreach. SolarWinds provides information technology (IT) infrastructure management software products in the United States and internationally. Its customers include vendors that service U.S. government agencies in the executive branch, the military, and the intelligence services, as well as thousands of private sector organizations.
According to the complaint, in December 2020, Reuters reported that hackers believed to be working for the Russian government had accessed emails at the U.S. Treasury and Commerce departments by interfering with software updates released by SolarWinds. The company filed a Form 8-K and issued a press release describing the incident, upon which the stock fell $3.93 per share, or 17 percent.
Subsequently, Reuters reported that last year, a security researcher warned SolarWinds that anyone could access the company’s update server using the password "solarwinds123." Even more damaging, according to another researcher, the malicious updates were still available for download for days after SolarWinds realized their software had been compromised. SolarWinds stock fell another 8 percent upon the news.
Alleged deficient disclosures. The class action complaint alleges that SolarWinds made misleading statements and failed to disclose material information regarding known security deficiencies, resulting in serious security vulnerabilities at major organizations including U.S. federal government agencies, Microsoft, Cisco, and Nvidia.
Specifically, the plaintiff alleges that SolarWinds failed to disclose that its Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran, and that SolarWinds’ update server had an easily accessible password of ‘solarwinds123’. Following cyberattacks at multiple organizations, SolarWinds suffered significant reputational harm and a drop in its stock price, harming investors.
Damages sought. In addition to SolarWinds, the complaint names the company’s CEO and CFO as individual defendants. The complaint asserts violations of Exchange Act Section 10(b) and Rule 10b-5, as well as controlling person claims. The plaintiff seeks class action certification, declaration as lead plaintiff, monetary damages and costs.
This is case No. 1:21-CV-00047.
MainStory: TopStory CyberPrivacyFeed Enforcement FraudManipulation PublicCompanyReportingDisclosure RiskManagement TexasNews
Interested in submitting an article?
Submit your information to us today!Learn More
Securities Regulation Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on securities regulation legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.