Incident Response, Security Strategy, Plan, Budget, Breach, Risk Assessments/Management

Court denies SolarWinds bid to throw out breach lawsuit

Today’s columnist, Thomas Pore of LiveAction, writes that Deep Packet Dynamics can help reduce long dwell times like the industry saw in the SolarWinds case where attackers were in the network for more than a year. (“SolarWinds letters” by sfoskett is licensed under CC BY-NC-SA 2.0)

A Texas judge has dismissed claims that former SolarWinds CEO Kevin Thompson was personally liable for deceiving investors about the company’s cybersecurity, but otherwise will allow a class-action lawsuit filed against the company, its executives and investors in the wake of the 2020 Orion breach to proceed.

The suit named the company, as well as Thompson, chief information security officer Tim Brown, chief financial officer J. Barton Kalsu and private equity firms Thoma Bravo and Silver Lake Technology Management (who collectively owned about 80% of the company at the time of the breach) as defendants. The shareholders argue that executives like Thompson and Brown knowingly misled investors in public statements about the company’s cybersecurity resilience, and that private equity owners Thoma Bravo and Silver Lake Partners pushed to not invest in cybersecurity operations at the company as part of their overall business strategy to keep costs low and eventually sell the company at a profit.

On Wednesday, Judge Robert Pittman ruled that the suits against SolarWinds, Brown, Thoma Bravo and Silver Lake Technology Management may move forward. On Brown, who was vice president of security architecture at SolarWinds and was promoted to chief information security officer following the breach, the court ruled that both his position overseeing cybersecurity at the company and his public statements in media interviews endorsing SolarWinds cybersecurity posture made him and SolarWinds liable.

“We disagree strongly with the claims made by the plaintiff and look forward to having the opportunity to present the true facts as this process continues beyond its current very early stage,” SolarWinds said in a statement sent to SC Media after publication.

The court also found that while other disclosed security incidents — like the reliance on the password SolarWinds123 for the company’s update server — haven’t been tied directly to the Orion breach, they still demonstrate “that the executives were at least reckless in not realizing that something was dangerously amiss.”

“The Court finds that Plaintiffs sufficiently plead that Defendant Brown acted with, at least, severe recklessness when he touted the security measures implemented at SolarWinds. Plaintiffs plead that Brown held himself out as a responsible and knowledgeable authority regarding SolarWinds’ cybersecurity measures,” Pittman wrote.

The consolidated lawsuit is composed of several class actions brought by shareholders following a damaging breach first disclosed in December 2020 when hackers tied to Russian intelligence were able to corrupt a software update for the company’s widely used Orion IT management software. That update subsequently facilitated the compromise of at least nine federal agencies and approximately 100 companies and the disclosure caused SolarWinds stock to drop sharply in the following weeks.

Thoma Bravo and Silver Lake Technology Management, each of whom had three executives who sat on the SolarWinds board of directors at the time of the breach, sold up to $459 million worth of shares in the company shortly before the hack was disclosed. Meanwhile Thompson, who stepped down Dec. 7 days before the breach was disclosed, sold around $15 million of stock the month prior. Both companies and Thompson have denied having knowledge of the breach at the time the trades were made.

Lawyers for Thoma Bravo and Silver Lake Technology Management have argued that both individual companies are minority shareholders at SolarWinds and there is no legal basis for combining their shares to give the impression that they collectively controlled company operations. Pittman did not accept that argument, saying plaintiffs had put forth enough evidence to indicate the two investors frequently acted in concert regarding management of SolarWinds.

“Texas district courts have held that bare allegations that shareholders acted jointly without allegations of how the shareholders worked together, either separately or jointly, are not sufficient,” Pittman concluded. “However, here, Plaintiffs have specified the activities Silver Lake and Thoma Bravo allegedly engaged in together to exert control over SolarWinds … noting that Silver Lake and Thoma Bravo ‘acted in unison, buying and taking the Company private together in 2016 — each paying $1.3 billion for their respective halves,’ ‘taking the Company public together again in 2018,’ ‘retaining equal amounts of shares of the Company,’ and selling ‘their SolarWinds shares after the 2018 IPO ... together, on the same day, and in nearly identical amounts.’”

For Thompson, the court found that shareholders have not provided sufficient evidence that the former CEO acted knowingly to deceive investors about the company’s security posture. They also found that Thompson’s knowledge and public statements around SolarWinds’ security were meaningfully different from Brown's.

“Unlike Brown, Plaintiffs plead no facts to suggest that Thompson held himself out as an authority on SolarWinds’ cybersecurity measures, other than to broadly allege he focused on cost savings at the expense of cybersecurity,” Pittman wrote in his ruling. “The only specific allegation surrounding Thompson’s cost-cutting strategy is that he moved SolarWinds’ engineering offices to Eastern Europe, a place ‘notorious for cybercrime’ but does not allege Thompson was aware of this fact or aware of any potential or real threats that materialized as a result of this move.”

Pittman also ruled that the timing of Thompson’s stock sale prior to leaving was not by itself evidence of an intent to deceive, and that Thompson “has provided the Court with a plausible inference” that the stock sales were part of a plan established before the company became aware of the Orion breach.

“Plaintiff alleges Thompson’s sale of 39.16% of his SolarWinds shares, the majority during the period between when SolarWinds was advised about the breach and when the breach was publicly announced — is suspicious and should be taken as evidence he knew SolarWinds’ cybersecurity measures were severely lacking,” Pittman wrote. “However, Thompson offers the competing assertion that Thompson sold these shares shortly ahead of his previously announced departure from the company and executed according to a plan that was put in place in August 2020, before SolarWinds was purportedly given notice of the breach.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.