Standards, Regulations & Compliance

Shareholder Sues SolarWinds for Alleged Security Failures

Lawsuit Alleges Software Vendor Misled Investors Over the Security of Its Products
Shareholder Sues SolarWinds for Alleged Security Failures

A SolarWinds shareholder has filed a lawsuit claiming the company included misleading statements regarding its cybersecurity in filings with the U.S. Securities and Exchange Commission.

See Also: Live Webinar | Identity Security in 2024: The Key to Compliance in Today's Regulatory Landscape

On Monday, shareholder Timothy Bremer filed the lawsuit, which seeks class action status, against SolarWinds, its CEO and President Kevin B. Thompson and CFO J. Barton Kalsu. The suit claims the executives signed off on a series of 10-K and 10-Q SEC filings last year that contained information that misled stockholders to believe the company's products were secure, which led to the stock price being artificially inflated.

The lawsuit, which seeks unspecified damages, claims the defendants violated federal securities laws.

SolarWinds suffered a supply-chain attack, discovered in December 2020, that resulted in a backdoor being placed in its Orion network-monitoring software. The latest investigative reports estimate that about 250 organizations were severely affected, and federal intelligence agencies say Russia was likely involved (see: Severe SolarWinds Hacking: 250 Organizations Affected?).

Asked to comment on the lawsuit, a SolarWinds spokesperson said: "We are solely focused on helping the industry and our customers understand and mitigate this attack and quickly released hotfix updates to customers that we believe will close the vulnerability. We have also taken a number of steps to further secure our network and products, including through advanced endpoint detection and monitoring tools."

The Plaintiff's Claims

The lawsuit alleges that the company failed to reveal in its SEC reports that:

  • Monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran;
  • SolarWinds' update server had an easily accessible password of 'solarwinds123';
  • SolarWinds' customers, as a result, would be vulnerable to hacking;
  • The security flaws would cause the company to suffer significant reputational harm.

The lawsuit alleges that by portraying SolarWinds’ products as secure in its SEC filings, the company artificially inflated the company's stock price.

Shares of SolarWinds trade on the New York Stock Exchange, and were valued at $23.55 per share on Dec. 11, just before the supply-chain attack against it was discovered and publicly disclosed. But by the end of trading on Tuesday, the value of its stock had fallen to $14.43 per share - nearly a 40% decline.


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.