SolarWinds Scandal: When Cybersecurity Giants Stumble Over Security Failures

In a cosmic twist of irony, cybersecurity company SolarWinds is being sued by the SEC over security failures. The “SolarWinds Sunburst Cyberattack Lawsuit” alleges they concealed a two-year cyberattack, misleading investors and customers. It’s a SolarFlare of a situation for the company, reminding us all that honesty is the best policy, even in cyberspace.

Hot Take:

Looks like our friends over at SolarWinds have found themselves in a bit of a scorching situation. Accused of hiding a two-year-long cyberattack under the rug, the company and its Chief Information Security Officer are now facing the wrath of the US Securities and Exchange Commission. Let’s just say that their forecast is looking more like a SolarFlare than a breezy day. The irony of a cybersecurity company being sued over security failures is not lost on us. A friendly reminder, everyone: honesty always pays off!

Key Points:

  • The SEC is suing SolarWinds and Timothy Brown, the company’s Chief Information Security Officer, for concealing security failures leading up to the two-year-long “Sunburst” cyberattack.
  • The cyberattack was allegedly carried out by Russian hackers who inserted malicious code into SolarWinds’ network-management software, affecting thousands of customers, including US government agencies and private companies.
  • SolarWinds and Brown are alleged to have misled investors and customers about the company’s cybersecurity practices and risks from the time of their initial public offering in 2018 until January 2021.
  • The SEC is seeking disgorgement of “ill-gotten gains,” civil monetary penalties, and a permanent ban on Brown from acting as an officer or director for any company that issues securities.
  • SolarWinds and Brown are accused of violating the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934, among other violations.

Need to know more?

Caught Red-Handed:

The SEC's lawsuit accuses SolarWinds and Brown of years of ignoring clear warning signs about the company's cyber risks. This oversight led one of Brown's subordinates to conclude that the company was far from being security-minded. Instead of addressing these vulnerabilities, they allegedly engaged in a campaign to misrepresent the company's cyber controls environment, depriving investors of accurate information.

Delivering Danger:

According to the SEC, SolarWinds and Brown violated numerous antifraud provisions and reporting requirements. Brown, who has been with the company since 2017, knowingly delivered compromised software to over 18,000 customers worldwide. This software allowed threat actors to access the systems of these customers, resulting in the Sunburst attack.

Blind to the Risks:

The SEC's press release summarizing the lawsuit claims that SolarWinds' SEC filings misled investors by disclosing only generic risks when the company and Brown were well aware of specific deficiencies in the company's cybersecurity practices. It turns out that when you play with fire (or in this case, the sun), you're likely to get burned.
Tags: cyber attack, Network Management Software, Russian Hackers, SEC Lawsuit, SolarWinds, SUNBURST Attack, Timothy Brown