SolarWinds and some of its top executives have been hit with a class action lawsuit by stockholders, who allege the company lied and materially misled them about security practices leading up to a massive breach of its Orion management software that has reverberated throughout the public and private sector.
The class includes stock buyers who acquired publicly traded SolarWinds securities from Feb. 24 to Dec. 15, 2020 and names SolarWinds, former CEO Kevin Thompson and Chief Financial Officer Barton Kalsu as defendants.
The complaint alleges that each individual defendant was directly involved in the company’s day-to-day operations at the highest levels, were privy to confidential information about business operations and oversight of internal controls and made false and misleading statements that violated securities law.
“Defendants…knew that the public documents and statements issued or disseminated in the name of SolarWinds were materially false and misleading; knew that such statements or documents would be issued or disseminated to the investing public; and knowingly and substantially participated in…such statements or documents as primary violations of the securities laws,” lawyers for the plaintiffs wrote in a complaint.
Lawyers for the class point to a 2019 financial report submitted under the Sarbanes-Oxley Act of 2002 where company officials say that rising rates and increasing sophistication of cyber attacks, an increasingly complex IT supply chain and the nature of zero-day exploits mean that security breaches were possible and “we may be unable to anticipate these techniques or to implement adequate preventative measures.”
“We may also experience security breaches that may remain undetected for an extended period and, therefore, have a greater impact on the products we offer, the proprietary data contained therein, and ultimately on our business,” SolarWinds continued.
In follow up filings in May, August and November 2020, company officials attested to the accuracy of those prior claims, which the lawsuit calls materially false or misleading because officials have known since “mid-2020” that SolarWinds’ Orion software had exploitable software vulnerabilities that could have led to just such an attack.
In a December filing to the Securities and Exchange Commission, SolarWinds stated that an investigation concluded that malicious hackers – which U.S. government officials have attributed to a group with ties to the Russian government – inserted the corrupted code within Orion’s build system between March and June 2020. The company’s stock price took an immediate tumble, and subsequent news stories about poor security trickled out in the days after at the same time SolarWinds stock fell further.
They also cite other poor security practices, such as the use of “Solarwinds123” as a password for their update server, and allege that SolarWinds executives knew the breach would result in significant reputational harm to the company and stockholders. By omitting what they knew about the breach and their own faulty security practices, the company and top officials were participating in a “fraudulent scheme” or were acting with reckless disregard for the truth throughout 2020, the lawsuit alleges.
“Had Plaintiff and the other members of the Class been aware that the market price of SolarWinds securities had been artificially and falsely inflated by Defendants’ misleading statements and by the material adverse information which Defendants did not disclose, they would not have purchased” the stock at the same price or at all, the claim asserts. In the months before the breach was announced publicly, SolarWinds' stock hovered between $19 and $23 a share. Following the disclosure, the price dropped to just over $14 a share, and currently sits at $14.53 per share.
The complaint alleges that Thompson and Kalsu in particular had direct culpability and “because of their senior positions, they knew the adverse non-public information about SolarWinds’s corporate governance and business prospects.”
SolarWinds could not be immediately reached for comment.
The lawsuit requests a trial by jury and the plaintiffs are seeking damages from both the company and the named individuals, “reasonable” payment for their court costs and any other further relief.
Oddly, the suit does not mention or reference the possibility that SolarWinds executives themselves may have conducted insider trading in between the time the compromised was discovered internally and when it was announced to the public. Three executives who sit on SolarWinds board sold hundreds of millions in stock in the days before the breach was disclosed. Thompson, who stepped down on Dec. 7, days before the announcement, also sold $15 million in company stock the month prior.
The lawsuit was not unexpected, and SolarWinds has become the latest company to learn firsthand that the price of dealing with a bad breach goes beyond incident response or asset replacement, often bringing hidden costs exponentially more expensive than the price of investing in security.