Updates to our Terms of Use

We are updating our Terms of Use. Please carefully review the updated Terms before proceeding to our website.

Wednesday, March 27, 2024 | Back issues
Courthouse News Service Courthouse News Service

Texas tech company can’t dodge investor suit over massive cyberattack

A federal judge refused to dismiss claims from investors that SolarWinds lied about its security procedures prior to a 2020 cyberattack linked to Russia.

(CN) — An Austin-based tech company may be liable to investors after it suffered a major security breach that caused its stock price to plummet, a federal judge ruled.

Although that company, SolarWinds, was itself a victim of the breach, the company may have acted recklessly in protecting its software, U.S. District Judge Robert Pitman held late Wednesday. The Barack Obama appointee said SolarWinds may have also misled investors by misrepresenting its cybersecurity efforts.

Pitman's order offered no definitive findings of wrongdoing by SolarWinds. Instead, the judge found investors had made plausible allegations and that claims could proceed against the company, its vice president of security and two top investment firms.

In a statement, a spokesperson for SolarWinds stressed that the lawsuit brought by the New York City District Council of Carpenters Pension Fund was still in a "very early stage" and that the company would defend itself in court.

“We disagree strongly with the claims made by the plaintiff," the spokesperson said, "and look forward to having the opportunity to present the true facts."

SolarWinds’ problems started in late 2020, when malicious code was found in the company’s Orion management software. The attack — which affected the Treasury, Commerce and Homeland Security departments, as well as various private companies — was linked to Cozy Bear, a hacking group reportedly run by the Russian Foreign Intelligence Service.

The U.S. Cybersecurity and Infrastructure Security Agency put out an emergency directive after the breach, urging government agencies to “disconnect or power down SolarWinds Orion products immediately.” SolarWinds’ stock took a nosedive, falling from around $25 per share before the news to less than $15 a week later.

SolarWinds soon found itself in the crosshairs of investors and regulators. Its investors had dumped around $280 million in stock before the hack become public, raising questions about insider trading, The Washington Post reported.

The Department of Justice, the Securities and Exchange Commission and several state attorneys general are investigating the company for alleged misconduct, Wednesday's court order noted. The details and status of those investigations were not immediately clear.

Last year, a group of investors led by the carpenters pension fund sued SolarWinds under the Securities Exchange Act. By misrepresenting its security procedures to investors, SolarWinds was able to sell its stock at “artificially inflated prices," the complaint alleged.

SolarWinds, the investors argued, had built a large customer base that included government agencies by “falsely and misleadingly” touting its security procedures.

Among other evidence, the lawsuit pointed to the company’s update server, which used the password “solarwinds123” — a password that SolarWinds admitted in court was a violation of its own password policy. The complaint also cited a company meeting from 2017, in which an adviser warned that SolarWinds products were “incredibly easy to hack” and that “the survival of the company depends on an internal commitment to security.”

In August, SolarWinds tried — unsuccessfully — to dismiss the case. It had “disclosed the risks of a cyberattack in its SEC filings” and therefore should not be held liable for the attack, lawyers for the company argued.

In the motion, SolarWinds argued that it too was a victim of the Russian operation and that “no reasonable investor” could have assumed that the company “viewed itself as impervious to attack.”

Cyberattacks “are a risk that all companies face in today’s world,” the filing argued, describing the Cozy Bear breach as “the most sophisticated cyberattack in history.”

So far at least, those arguments have proved unconvincing to judges. In his order on Wednesday, Pitman ruled that investors had adequately alleged both misleading statements and scienter, a legal term for intentional deceit or misconduct.

While the “solarwinds123” password was not a factor in the hack, it nonetheless strengthened allegations that there were “underlying security issues” at the company, Pitman wrote. The plaintiffs, he noted, were simply alleging that “cybersecurity measures at the company were not as they were portrayed.”

In his order, Pitman also took particular issue with SolarWinds' claims about its “security team." In fact, there were apparently only two employees focused on security.

“Two workers with different titles employed at different times,” the judge wrote, “does not necessarily mean there was a ‘team.’”

Pitman refused to dismiss claims against Silver Lake and Thoma Bravo, two private-equity companies which at one point owned 80% of SolarWinds stock and which allegedly “sacrificed cybersecurity to generate short-term profits.” As the primary owners of SolarWinds, they had the “power to control” any allegedly false statements, the judge wrote.

Pitman also declined to toss claims against Tim Brown, the company’s vice president of security. Brown was “the face (literally)” of security at the company, according to the order, and “regularly wrote articles and appeared in interviews” endorsing the company’s security procedures.

The judge did, however, dismiss claims against Kevin Thompson, the former CEO of SolarWinds. Thompson had never portrayed himself as “an authority on SolarWinds’ cybersecurity measures,” and plaintiffs were only able to “broadly allege he focused on cost savings at the expense of cybersecurity,” Pitman wrote.

The New York City District Council of Carpenters Pension Fund could not be immediately reached for comment on the order.

Follow @stephentpaulsen
Categories / Business, Government, National

Subscribe to Closing Arguments

Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.

Loading...