Two pension funds have filed suit against SolarWinds Corporation and its board members for oversight failures arising from a massive cyberattack in early 2020. The two pension funds allege that SolarWinds ignored widespread warnings about the company’s heightened risk for attack.
The suit, first filed under seal last week, was brought on behalf of Central Laborers’ Pension Fund and Construction Industry Laborers Pension Fund in a Delaware court. Both pension funds are SolarWinds stockholders.
At the heart of this suit is a cyberattack conducted by Russian hackers, which reached as many as 18,000 SolarWinds users in 2020, although the actual number of users compromised was much smaller. The hack, which may have begun as early as March 2020, went undetected by the company for months. It was not until December 2020 that SolarWinds finally announced it had learned of the attack. As a result of the attack, hackers gained access to large trove of sensitive information and consequently were able to infiltrate mailboxes of federal government agencies such as the US Department of Justice, as well as other top US technology companies.
The pension funds allege that SolarWinds breached its fiduciary duties when it failed to address widespread warnings about the company’s heightened risk for attack. More specifically, the two pension funds assert that “SolarWinds suffered from internal cybersecurity deficiencies that defied elementary cybersecurity standards for any modern company, let alone one with a heightened risk of a cyberattack due to its trusted access to thousands of sensitive networks, including multiple critical agencies of the U.S. government.”
SolarWinds was first made aware of the heightened risk for cyberattacks by both government and private cybersecurity experts as early as 2017. Despite repeated warnings, the company failed to take even the most basic preventative actions against potential cyberattacks.
UPDATE 11/11/2021 ~ A SolarWinds spokesperson released the following statement in response to the suit:
We do not comment on pending litigation, but this action is similar to a purported derivative lawsuit filed earlier this year. More importantly, we continue to focus on deepening our relationships with customers and openly discussing our Secure by Design initiatives as we look to set the standard for secure software development.
This article was edited to clarify that while 18,000 users downloaded the affected software, a far smaller number were actually targeted by the attackers.