Shareholder Sues SolarWinds for Alleged Security FailuresLawsuit Alleges Software Vendor Misled Investors Over the Security of Its Products
A SolarWinds shareholder has filed a lawsuit claiming the company included misleading statements regarding its cybersecurity in filings with the U.S. Securities and Exchange Commission.
On Monday, shareholder Timothy Bremer filed the lawsuit, which seeks class action status, against SolarWinds, its CEO and President Kevin B. Thompson and CFO J. Barton Kalsu. The suit claims the executives signed off on a series of 10-K and 10-Q SEC filings last year that contained information that misled stockholders to believe the company's products were secure, which led to the stock price being artificially inflated.
The lawsuit, which seeks unspecified damages, claims the defendants violated federal securities laws.
SolarWinds suffered a supply-chain attack, discovered in December 2020, that resulted in a backdoor being placed in its Orion network-monitoring software. The latest investigative reports estimate that about 250 organizations were severely affected, and federal intelligence agencies say Russia was likely involved (see: Severe SolarWinds Hacking: 250 Organizations Affected?).
Asked to comment on the lawsuit, a SolarWinds spokesperson said: "We are solely focused on helping the industry and our customers understand and mitigate this attack and quickly released hotfix updates to customers that we believe will close the vulnerability. We have also taken a number of steps to further secure our network and products, including through advanced endpoint detection and monitoring tools."
The Plaintiff's Claims
The lawsuit alleges that the company failed to reveal in its SEC reports that:
- Monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran;
- SolarWinds' update server had an easily accessible password of 'solarwinds123';
- SolarWinds' customers, as a result, would be vulnerable to hacking;
- The security flaws would cause the company to suffer significant reputational harm.
The lawsuit alleges that by portraying SolarWinds’ products as secure in its SEC filings, the company artificially inflated the company's stock price.
Shares of SolarWinds trade on the New York Stock Exchange, and were valued at $23.55 per share on Dec. 11, just before the supply-chain attack against it was discovered and publicly disclosed. But by the end of trading on Tuesday, the value of its stock had fallen to $14.43 per share - nearly a 40% decline.