Current:Home > InvestUS regulators sue SolarWinds and its security chief for alleged cyber neglect ahead of Russian hack-LoTradeCoin
US regulators sue SolarWinds and its security chief for alleged cyber neglect ahead of Russian hack
View Date:2024-12-23 23:09:57
U.S. regulators on Monday sued SolarWinds, a Texas-based technology company whose software was breached in a massive 2020 Russian cyberespionage campaign, for fraud for failing to disclose security deficiencies ahead of the stunning hack.
The company’s top security executive was also named in the complaint filed by the Securities and Exchange Commission seeking unspecified civil penalties, reimbursement of “ill-gotten gains” and the executive’s removal.
Detected in December 2020, the SolarWinds hack penetrated U.S. government agencies including the Justice and Homeland Security departments, and more than 100 private companies and think tanks. It was a rude wake-up call on the perils of neglecting cybersecurity.
In the 68-page complaint filed in New York federal court, the SEC says SolarWinds and its then vice president of security, Tim Brown, defrauded investors and customers “through misstatements, omissions and schemes” that concealed both the company’s “poor cybersecurity practices and its heightened — and increasing — cybersecurity risks.”
In a statement, SolarWinds called the SEC charges unfounded and said it is “deeply concerned this action will put our national security at risk.”
Brown performed his responsibilities “with diligence, integrity, and distinction,” his lawyer, Alec Koch, said in a statement. Koch added that “we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.” Brown’s current title at SolarWinds is chief information security officer.
The SEC’s enforcement division director, Gurbir S. Grewal, said in a statement that SolarWinds and Brown ignored “repeated red flags” for years, painting “a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
The very month that SolarWinds registered for an initial public offering, October 2018, Brown wrote in an internal presentation that the company’s “current state of security leaves us in a very vulnerable state,” the complaint says.
Among the SEC’s damning allegations: An internal SolarWinds presentation shared that year said the company’s network was “not very secure,” meaning it was vulnerable to hacking that could lead to “major reputation and financial loss. Throughout 2019 and 2020, the SEC alleged, multiple communications among SolarWinds employees, including Brown, “questioned the company’s ability to protect its critical assets from cyberattacks.”
SolarWinds, which is based in Austin, Texas, provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.
The nearly two-year espionage campaign involved the infection of thousands of customers by seeding malware in the update channel of the company’s network management software. Capitalizing on the supply-chain hack, the Russian cyber operators then stealthily penetrated select targets including about a dozen U.S. government agencies and prominent software and telecommunications providers.
In its statement, SolarWinds called the SEC action an “example of the agency’s overreach (that) should alarm all public companies and committed cybersecurity professionals across the country.”
It did not explain how the SEC’s action could put national security at risk, though some in the cybersecurity community have argued that holding corporate information security officers personally responsible for identified vulnerabilities could make them less diligent about uncovering them — and discourage qualified people from aspiring to such positions.
Under the Biden administration, the SEC has been aggressive about holding publicly traded companies to account for cybersecurity lapses and failures to disclose vulnerabilities. In July, it adopted rules requiring them to disclose within four days all cybersecurity breaches that could affect their bottom lines. Delays would be permitted if immediate disclosure poses serious national-security or public-safety risks.
Victims of the SolarWinds hack whose Microsoft email accounts were violated included the New York federal prosecutors’ office, then-acting Homeland Security Secretary Chad Wolf and members of the department’s cybersecurity staff, whose jobs included hunting threats from foreign countries.
veryGood! (466)
Related
- The state that cleared the way for sports gambling now may ban ‘prop’ bets on college athletes
- Preparing for early retirement? Here are 3 questions to ask before you do.
- Biden and Trump plan dueling visits to U.S.-Mexico border in Texas on Thursday
- Powerball winning numbers for Feb. 26, 2024 drawing: Jackpot rises to over $400 million
- Republican Rep. Juan Ciscomani wins reelection to Arizona US House seat
- UMass to join MAC conference, including previously independent football, per reports
- Body found in truck is man who drove off Alabama boat ramp in 2013
- Registrar encourages Richmond voters to consider alternatives to mailing in absentee ballots
- Homes of Chiefs’ quarterback Mahomes and tight end Kelce were broken into last month
- Hawaii’s governor releases details of $175M fund to compensate Maui wildfire victims
Ranking
- Robert F. Kennedy Jr. has a long record of promoting anti-vaccine views
- Massachusetts man sues state for $1M after serving 27 years in prison
- LeBron James takes forceful stand on son Bronny James' status in NBA mock drafts
- US couple whose yacht was hijacked by prisoners were likely thrown overboard, authorities say
- Missouri prosecutor says he won’t charge Nelly after an August drug arrest
- Nick Offerman slams 'homophobic hate' for his 'Last of Us' episode
- Macy's to close 150 stores, or about 30% of its locations
- Lawsuit claims isolation and abuse at Wyoming Boys School
Recommendation
-
Jennifer Garner Details Navigating Grief 7 Months After Death of Her Dad William Garner
-
One Tree Hill’s Bethany Joy Lenz Reveals She and Costar Paul Johansson Have Kissed IRL
-
Brandon Jenner, wife Cayley are expecting third child together
-
The solar eclipse may drive away cumulus clouds. Here's why that worries some scientists.
-
The Cowboys, claiming to be 'all in' prior to Dak Prescott's injury, are in a rare spot: Irrelevance
-
Jennifer Aniston forgets the iconic 'Rachel' haircut from 'Friends' in new Uber Eats ad
-
President Joe Biden makes surprise appearance on 'Late Night with Seth Meyers' for show's 10th anniversary
-
Chiefs coach Andy Reid shares uplifting message for Kansas City in wake of parade shooting