Refresher: SolarWinds is that company that develops IT management software. The hack (suspected to be carried out by the Russians[1]) involving SolarWinds' systems and software penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches.<p>[1] <a href="https://web.archive.org/web/20220101181934/https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html" rel="nofollow">https://web.archive.org/web/20220101181934/https://www.nytim...</a>
> SolarWinds:<p>> (i) used weak passwords for its software download webpages such as “solarwinds123”<p>> (ii) did not properly segment its IT network<p>> (iii) directed its clients to disable antivirus scanning and firewall protection on its Orion software<p>> (iv) cut investments in cybersecurity<p>> (v) listed its sensitive and high-value clients on its webpage for anyone to see.<p>I, for one, am shocked!<p>I think (hope) the importance of secure software may finally become better respected by companies. Seems ransomware is now only the beginning, since you'll later be sued as well!
Harm for solarwinds is a lot more than the 24% decline in revenue. When we signed our cyberinsurance policy they made us attest that we had no solarwinds software running in our network or on company assets.
The really interesting things are the apparent areas for redaction in the original lawsuit [0] pdf. For example:<p>1. This action asserts derivative claims on behalf of SolarWinds against current and former members of the Company’s board of directors (the “Board”), for their utter failure to implement or oversee any reasonable monitoring system
concerning [redacted] cybersecurity risks fundamental to SolarWinds’ only line of business. [entire sentence redacted]<p>2. Paragraph 5 is redacted entirely, but paragraph 6 states "these warnings underscored the specific and heightened risk." Does that mean that paragraph 5 contained notes from previous warnings that were ignored? If so, that's very interesting.<p>3. Paragraph 7's last sentence on warnings is redacted, and paragraphs 8, 9, and 10 are redacted. Paragraph 11 starts by saying that oversight failures were at play. Perhaps people inside were both warned and ignored warnings prior to the attack taking place?<p>The rest of the complaint contains a very similar pattern: large swathes of redactions in and around failures to monitor the situation and failures to account for risk exposure.<p>Paragraph 79: "By utterly failing to implement or oversee any reasonable monitoring system concerning the Company’s cybersecurity risks, SolarWinds’ Board disabled itself from being informed of mission critical risks at the Company and breached its fiduciary duties to the Company and its shareholders."<p>Yikes.<p>[0]: <a href="https://github.com/jaybobo/jaybobo/blob/main/docs/solarwinds-complaint/20211104-shareholders-vs-solarwinds-board-filing.pdf" rel="nofollow">https://github.com/jaybobo/jaybobo/blob/main/docs/solarwinds...</a>
I'm curious about the general effect of breaches on public corps' stock prices.<p>This one took a dive after their breach and kept going down. Experian, as a different example, has been on a tear for 10+ years with only smaller transient dips, despite millions of consumers injured.
Is there precedent for holding the board personally liable for something like this? That seems both morally questionable, and with lots significant negative effects to how organizations run.