SolarWinds Corporation and its CEO and CFO face a proposed class action lawsuit from investors following reported attempts by hackers allegedly working for the Russian government to gain access to email traffic at the United States Treasury and Commerce departments in mid-December 2020.
The 17-page securities case out of Texas alleges the IT infrastructure management software company issued materially false and/or misleading statements concerning its Orion monitoring products in the months leading up to the cyberattack on the federal government, financially injuring those who bought or otherwise acquired publicly traded SolarWinds shares from February 24 to December 15, 2020.
In a Form 10-K filed on February 24, 2020 for the fiscal year ending December 31, 2019, SolarWinds made mention of the increased risk, intensity, sophistication and number of attempted security breaches or cyberattacks from computer hackers, foreign governments and cyber terrorists, the lawsuit begins. In addition, the company noted that sophisticated hardware and operating system software and applications it procures from third parties “may contain defects in design or manufacture,” including bugs and other issues that may unexpectedly interfere with the operation of SolarWinds systems, the case relays.
In the same disclosure, SolarWinds conceded that because the methods used to obtain unauthorized access to or sabotage systems change so frequently and are generally obscured until they are launched against a target, the company may be “unable to anticipate these techniques or to implement adequate preventive measures,” the lawsuit states. Similarly, SolarWinds said it “may also experience security breaches that may remain undetected for an extended period,” attacks that might therefore have a larger impact on the products the company offers, the complaint reads.
According to the suit, such statements by SolarWinds were materially false and/or misleading in that certain adverse facts concerning the company’s business, operations and prospects were left out.
From the complaint:
“Specifically, Defendants made false and/or misleading statements and/or failed to disclose that: (1) since mid-2020, SolarWinds Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran; (2) SolarWinds’ update server had an easily accessible password of ‘solarwinds123’; (3) consequently, SolarWinds’ customers, including, among others, the Federal Government, Microsoft, Cisco, and Nvidia, would be vulnerable to hacks; (4) as a result, the Company would suffer significant reputational harm; and (5) as a result, Defendants’ statements about SolarWinds’s business, operations and prospects were materially false and misleading and/or lacked a reasonable basis at all relevant times.”
The aforementioned weaknesses came to light on December 13, 2020 when Reuters reported that hackers alleged to be working for the Russian government had monitored email traffic at the U.S. Treasury and Commerce departments by way of “deceptively interfering with updates released by SolarWinds,” the lawsuit says. In a Form 8-K disclosure filed the following day, SolarWinds said it had been the subject of a hack on its Orion monitoring products, stating, in part:
“Based on its investigation to date, SolarWinds has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 (the “Relevant Period”), was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products. SolarWinds has taken steps to remediate the compromise of the Orion software build system and is investigating what additional steps, if any, should be taken. SolarWinds is not currently aware that this vulnerability exists in any of its other products.”
Upon this news, the price of SolarWinds shares fell 17 percent, damaging investors, the lawsuit states. On December 15, Reuters reported that a security researcher stated in 2019 that he alerted the defendants to the fact that “anyone could access SolarWinds’ update server by using the password ‘solarwinds123,’” the suit continues.
After this report was published, SolarWinds share prices fell again by eight percent, the complaint says.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.