Comment on this storyCommentAdd to your saved storiesSave
The Securities and Exchange Commission sued software company SolarWinds on Monday for failing to publicly disclose alleged cybersecurity flaws that led to one of the largest computer breaches in history.
In a complaint filed in the Southern District of New York, the SEC alleges that SolarWinds and the company’s chief information security officer, Tim Brown, repeatedly violated the anti-fraud and internal controls provisions of the federal securities laws by exploiting vulnerabilities that the company was exposed to Knew, not disclosing could lead to a hack.
SolarWinds later suffered a breach of its Orion network monitoring software that allowed hackers suspected of being linked to the Russian government to infiltrate thousands of customer organizations, including nine federal agencies. The breach began in 2019 but only became public in 2020.
On Monday, the company accused the SEC of “exaggerations” and described itself as “disappointed by the SEC’s baseless allegations related to a Russian cyberattack on an American company.” It said it was “deeply concerned that this action will jeopardize our national security” because it appeared to require companies to publicly disclose vulnerabilities before they had a chance to fix them.
Austin-headquartered SolarWinds says it has more than 300,000 customers, including 96 percent of the Fortune 500, and bills itself as a leading provider of software that manages and monitors a company’s information technology. The Government Accountability Office called the breach “one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and the private sector.”
“The data goes back to at least October 2018, when SolarWinds conducted the study [initial public offering] “SolarWinds and/or Brown made materially false and misleading statements and omissions relating to SolarWinds’ securities risks and practices in at least three types of public disclosures through at least December 2020,” the SEC complaint states.
In a briefing with reporters, the SEC said the complaint was not about “Monday morning quarterbacking.” It said the company violated federal securities laws even if the violation had not occurred.
According to the SEC, Brown and others were extensively advised of vulnerabilities at SolarWinds but did not publicly disclose those problems. In an internal alert in September 2020, SolarWinds executives were told that “the volume of security issues identified in the last month exceeds the capacity of the engineering teams to resolve.” In another case, a senior manager noted in November of the same year: “We are far ahead “According to the SEC, the warnings date back to 2018.
The SEC said that in December 2020, SolarWinds also failed to disclose that attackers had already successfully exploited vulnerabilities against SolarWinds customers on multiple occasions in the past six months. The company could be ordered to pay a fine, the amount of which would be decided by a judge.
Since the SEC sent notices to the company this summer about a possible enforcement action, SolarWinds had already vowed to fight it.
“We believe that such action is not warranted against the company or employees, and we will continue to evaluate a possible resolution of this matter before the SEC makes a final decision,” SolarWinds CEO Sudhakar Ramakrishna wrote in June in an internal email. “And if the SEC ultimately decides to pursue legal action, we intend to defend ourselves vigorously.”
correction
An earlier version of this story incorrectly reported that SolarWinds was headquartered in Tulsa. The headquarters is in Austin. It was founded in Tulsa. This version has been corrected.