AUSTIN, Texas (CN) — Shareholders of Austin-based software firm SolarWinds claim in a federal class action lawsuit filed Monday that management misled investors by failing to disclose in public filings software vulnerabilities that ultimately led to a massive hack that affected over 18,000 private and government clients.
Lead plaintiff Timothy Bremer sued SolarWinds, chief executive officer Kevin B. Thompson and chief financial officer J. Barton Kalsu in federal court in Texas. Bremer claims the company filed at least four reports with the U.S. Securities and Exchange Commission since February 2020 and none of them disclosed that its Orion monitoring software “had a vulnerability that allowed hackers to compromise” servers it was running on.
“SolarWinds’ update server had an easily accessible password of ‘solarwinds123,’” the 17-page complaint states. “[C]onsequently, SolarWinds’ customers, including, among others, the federal government, Microsoft, Cisco and Nvidia, would be vulnerable to hacks.”
The hack was first revealed in news reports on Dec. 13. Four days later, the Cybersecurity and Infrastructure Security Agency issued an alert that stated the hack began “in at least March 2020” and remains a “grave risk” to government and infrastructure entities. Federal officials have described the cyberattack, which the government has blamed on Russia, as “the worst hacking case in the history of America.”
Members of Congress were later briefed that the hackers were able to break into dozens of email accounts at the Treasury Department.
Microsoft disclosed on Jan. 2 the hackers were able to access some of its source code in the break-in. A Microsoft spokesperson said its employees are working “around the clock” and will share information “when there is actionable information to share.”
A spokesman for SolarWinds said the firm “was the victim of a highly sophisticated, complex and targeted cyberattack” and is working with intelligence and law enforcement agencies to determine if it was hacked by a foreign government.
“We are solely focused on helping the industry and our customers understand and mitigate this attack, and quickly released hotfix updates to customers that we believe will close the vulnerability,” SolarWinds said in an email message Tuesday morning. “We have also taken a number of steps to further secure our network and products, including through advanced endpoint detection and monitoring tools.”
The lawsuit claims the publicly traded shares of SolarWinds were artificially inflated in price due to the alleged nondisclosures and that shareholders have been injured by the ensuing reduction in price since the hack was made public.
Shares of SolarWinds traded as high as $23.70 each on Dec. 8. They closed Monday at $14.53 a share.
The lawsuit seeks to include in the proposed class of plaintiffs anyone who purchased shares from Feb. 24 to Dec. 15. It seeks damages for violations of the Securities Exchange Act.
The complaint was submitted by Kirstine Rogers with Steckler Wayne Cochran in Dallas.