SolarWinds and its CEO and CFO have been sued by a shareholder for securities law violations. The Western District of Texas complaint argues that the company and key executives knew about a software vulnerability that created an opportunity for hackers to compromise products used by high profile clients, including the federal government.
Yesterday’s lawsuit explains that SolarWinds offers information technology (IT) infrastructure management software to customers domestically and abroad. Its products purportedly “monitor and manage network, system, desktop, application, storage, and database and website infrastructures, whether on-premise, in the public or private cloud, or in a hybrid IT infrastructure.”
The filing accuses the defendants of failing to disclose that from mid-2020, SolarWinds’ Orion monitoring products had a serious software vulnerability, the company’s update server had an easily guessable password, ‘solarwinds123,’ and therefore, its customers, would be vulnerable to cyberattack, ultimately causing the company to suffer reputational harm. As evidence of the company’s knowledge of these shortcomings, the complaint points to two Reuters articles published in mid-December.
Reportedly, on Dec. 13, 2020, Reuters wrote that hackers thought to be working for the Russian government had monitored email traffic at the U.S. Treasury and Commerce departments. They were believed to have gained access by “deceptively interfering with updates released by SolarWinds, which services various government vendors in the executive branch, the military, and the intelligence services.”
Allegedly, in its Form 8-K filed with the Securities and Exchange Commission (SEC) the following day, SolarWinds said that it was aware of the vulnerability, the consequent possibility of cyberattack, and that it had taken remedial steps. SolarWinds’ shares then fell $3.93 per share, or 17%, to close at $19.62 per share on Dec. 14, 2020.
On Dec. 15, 2020, Reuters published a second article stating that last year, a security researcher alerted the company that anyone could access SolarWinds’ update server by using its simplistic password. The article also quoted another cybersecurity professional who noted that “‘days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.’”
The same day, the company’s shares fell $1.56 per share or 8% to close at $18.06 per share. For the harm suffered by investors, the complaint seeks to certify a class of persons or entities who purchased or otherwise acquired publicly traded SolarWinds securities from Feb. 24, 2020 through Dec. 15, 2020, a jury trial, damages, and an award of costs.