Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

4 companies charged by SEC for misleading investors after SolarWinds breach

The US Securities and Exchange Commission (SEC) has slapped four companies with charges after they misled investors by downplaying the severity of the 2020 SolarWinds cyber attack.

user icon Daniel Croft
Wed, 23 Oct 2024
4 companies charged by SEC for misleading investors after SolarWinds breach
expand image

The SolarWinds Orion hack (SolarWinds hack) was a supply chain attack that affected public and private organisations that used SolarWinds Orion network management system.

Over 30,000 organisations, including government agencies at local, state and federal levels, use the Orion software to manage their IT systems.

Threat actors gained access by inserting malicious code into a legitimate Orion update. When the update was deployed, customers who installed it also activated the malware, granting the threat actors backdoor access.

============
============

The incident quickly evolved into a rapidly spreading supply chain attack, with the threat actors gaining access to Orion customer networks, where they then accessed the customers’ partners and customers and so forth.

The threat actors were suspected nation-state hackers, whom Microsoft identified as Russian hackers Nobelium. The attack is widely considered one of the largest cyber attacks of all time.

Now, the SEC has said that Avaya Holdings, Check Point Software, Mimecast, and Unisys Corp all allegedly downplayed the impact the SolarWinds Orion cyber attack had on their systems.

“The Securities and Exchange Commission today charged four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited – with making materially misleading disclosures regarding cyber security risks and intrusions,” said the SEC in a press release.

According to the SEC, Avaya Holdings claimed at the time of the incident that the threat actor accessed a “limited number of [the] company’s email messages” despite knowing that the threat actor had also accessed 145 files stored in its cloud sharing environment.

Similarly, Check Point Software described the breach in “generic terms”, according to the SEC, despite being aware of the breach.

Mimecast has been charged for not disclosing the nature of the code stolen by the hackers and how many encrypted credentials the threat actors accessed.

Finally, despite knowing about the data breach and that gigabytes of data had been exfiltrated, Unisys described the risks of cyber security events as “hypothetical”, according to the SEC, which added that the downplaying of the incident was partially the product of “Unisys’ deficient disclosure controls”.

“Downplaying the extent of a material cyber security breach is a bad strategy,” said Jorge G. Tenreiro, SEC acting chief of the crypto assets and cyber unit.

“In two of these cases, the relevant cyber security risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialised. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”

The SEC found that all four companies violated provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and several other rules.

Unisys will pay the largest penalty of the four organisations, having been charged with a US$4 million civil penalty.

Avaya has been charged US$1 million, Check Point US$995,000 and Mimecast US$990,000.

While none of the companies confirmed or denied the SEC’s findings, they all agreed to pay the penalties and cease and desist from violating the charged provisions in the future. They also cooperated with the SEC throughout its investigation.

“As today’s enforcement actions reflect, while public companies may become targets of cyber attacks, it is incumbent upon them to not further victimise their shareholders or other members of the investing public by providing misleading disclosures about the cyber security incidents they have encountered,” said Sanjay Wadhwa, acting director of the SEC’s division of enforcement.

“Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.