SEC Announces 'Enforcement Action' For SolarWinds Over 2020 Hack

SolarWinds has announced it is facing US Securities and Exchange Commission (SEC) enforcement action over the software company's massive data breach in 2020.

In a recent 8-K filing with the SEC, the company said it reached an agreement with shareholders, who originally sued SolarWinds over claims they were misled about the 2020 hack.

"SolarWinds was one of the biggest cyber-attacks of the last few years, so it is not surprising the company is now facing legal action," Julia O'Toole, CEO of MyCena Security Solutions, told Infosecurity.

"Even though the attack was discovered almost two years ago, many details around the incident are still unknown, and many of SolarWinds's customers still do not know if they were compromised."

According to the document, the claimants suggested the company misrepresented its security posture before and during the events connected with the hack and failed to monitor cybersecurity risks adequately.

"This legal action is stating that SolarWinds didn't do enough to secure its customers," O'Toole added. "The fact that attackers were potentially on the organization's network over a year before they were discovered signals this could be true."

The filing also addresses this point via a Wells Notice (a document warning that the SEC is planning to bring an enforcement action) after SolarWinds said its disclosures and public statements at the time of the breach were "appropriate."

The notice informs the firm of the regulator's intention to file enforcement action "with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures."

Several government departments were compromised during the hack, including NASA, the Justice Department and Homeland Security. The majority of the victims, however, were private companies like FireEye, alongside several Fortune 500 firms, hospitals and universities.

The US administration eventually attributed the hack to the Russian government.

"We are likely to see more action like this in the future, particularly as most organizations are not still securing and segmenting their network access properly," O'Toole warned.

According to the executive, when organizations allow employees to make their passwords or digital keys, they lose control of their network access segmentation.

"Organizations need to harden their networks against this using access encryption and segmentation. Otherwise, they could find themselves facing similar legal action to SolarWinds," O'Toole concluded.

The filing comes roughly a month after the SEC fined financial services giant Morgan Stanley $35m over data security lapses. More recently, the Commission charged Kim Kardashian $1.26m for failing to disclose a payment for promoting a cryptocurrency product.

What’s Hot on Infosecurity Magazine?