SEC sues SolarWinds and CISO, says they ignored flaws that led to major hack
Enlarge (credit: Getty Images | Sean Gladwell)
The US Securities and Exchange Commission sued SolarWinds Corp. and Chief Information Security Officer Timothy Brown yesterday, alleging that they concealed security failures that led to a nearly two-yearlong cyberattack known as "Sunburst." The attack, reportedly carried out by Russian hackers, inserted malicious code into SolarWinds network-management software used by thousands of customers, including US government agencies and private companies.
From the time of its initial public offering in October 2018 until January 2021, SolarWinds and Brown "defrauded SolarWinds' investors and customers through misstatements, omissions, and schemes that concealed both the Company's poor cybersecurity practices and its heightened-and increasing-cybersecurity risks," the SEC lawsuit said. "SolarWinds' public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company's cybersecurity policy violations, vulnerabilities, and cyberattack."
The SEC sued the company and Brown in US District Court for the Southern District of New York. The SEC is seeking disgorgement of "ill-gotten gains," civil monetary penalties, and a permanent ban on Brown from acting as an officer or director for any company that issues securities.