Breach, Data Security

SolarWinds lawsuits merge as stockholders begin documenting financial losses

A judge approved the merger of three separate class action lawsuits filed against SolarWinds over the 2020 hack. (""SolarWinds letters" by sfoskett is licensed under CC BY-NC-SA 2.0)

A judge approved the merger of three separate class action lawsuits filed against SolarWinds over a 2020 hack and named a New York City pension fund as lead plaintiff as the organization laid out tens of thousands of dollars in stock losses that it claims resulted from the hack.

On Jan. 4, 2021, shareholder Timothy Bremer was named as lead plaintiff in a class action lawsuit against SolarWinds, alleging that the company and top executives deceived and misled investors about the cybersecurity risks they faced and the robust nature of safeguards that were put in place prior to the hack. They were quickly joined by two lawsuits led by another investor, Daniel Azpurua and the New York City District Council of Carpenters Pension Fund (NYC Carpenters).

In a motion filed March 9, lawyers for NYC Carpenters formally requested the consolidation of the three different lawsuits, to name the organization as lead plaintiff and for their selected lawyers to lead the combined class. According to court filings by NYC Carpenters, Azpurua did not oppose the requests while Bremer did not take a position.

The lawsuits cover years-worth of stock purchases that they claim were artificially inflated through deception by SolarWinds and top executives about their cybersecurity protections and risks. For example, the NYC Carpenters complaint covers individuals and organizations who bought SolarWinds stock between Oct. 18, 2018 and Dec. 17, 2020. In a related exhibit, NYC Carpenters documents nearly $1 million they invested in 23 different purchases of SolarWinds stock starting January 2019, when it sold for just over $14 a share and ending on June 3, 2020, six months before the breach was announced and when it was still selling for $19.41.

In total, NYC Carpenters claims it has lost at least $45,357 in losses, compared to $7,623 from Azpurua and $221 for Bremer. It represents among the first pieces of evidence put forth by the plaintiffs detailing concrete financial losses stemming from the hack.

“Specifically, NYC Carpenters should be appointed Lead Plaintiff because, of the three eligible class members that filed complaints, it has the ‘largest financial interest’ in the relief sought by the class in the action,” lawyers for the fund wrote.

U.S. district judge Robert Pittman granted that motion on March 2, clearing the way for the fund to appoint lawyers from Bernstein, Litowitz, Berger and Grossmann as lead counsel for the combined lawsuit.

All three lawsuits appear to rely primarily on public news reporting about the hack and subsequent reporting about cybersecurity weaknesses at SolarWinds to argue that the company materially misled investors and customers.

In particular, the complaints cite two articles from Reuters revealing the role SolarWinds’ Orion platform played in the breach of U.S. government agencies and the use of “solarwinds123” as a password for the Orion build server, as well as a December 2020 Bloomberg News article detailing three more state governments that were swept up in the hack. All three of these revelations, which had not been publicly known prior to their publication, resulted in notable declines in SolarWinds’ stock price shortly after.

The argument underpinning the lawsuit is that SolarWinds -- including former CEO Kevin Thompson and CFO J. Barton Kalsu, who are also named as defendants --  “failed to employ adequate cybersecurity safeguards and did not maintain effective monitoring systems to detect and neutralize security breaches” and that these failures left the company and its customers “particularly susceptible to cyber-attacks.”

They cite the widespread access to customer networks, including potentially sensitive account credentials, required for SolarWinds’ Orion software to operate properly, as well as statements made in an October 2018 initial public offering filing to the Securities and Exchange Commission that purport to demonstrate that SolarWinds executives knew they would be “unable to anticipate” a potential security breach due to the ever-changing nature of modern hacking techniques, that such breaches could remain undetected for “an extended period” and “could result in, among other consequences, damage to our own systems or customers’ IT infrastructure or the loss or theft of our customers’ proprietary or other sensitive information.”

Lawyers for SolarWinds, Thompson and Kalsu previously filed motions to delay deadlines for responding to the specific allegations until after the lawsuits were combined. The consolidation kicks off a 10-day timeline for the parties to negotiate a new deadline for filing a consolidated complaint and a response from SolarWinds.  

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.