SolarWinds to pay US$26 million over Orion compromise

The cost to American companies from shareholder and regulator lawsuits for being hit by cyber attacks is being revealed.

SolarWinds said it has entered into a binding agreement to pay US$26 million to investors to settle a class action lawsuit stemming from the 2020 compromise of the update mechanism of its Orion network management platform.

Separately, credit reporting company Experian reached a US$13.6 million settlement with 40 U.S. states arising from two incidents: a 2012 hack where a person posed as a private investigator to access sensitive personal information, and a 2015 hack where an attacker was able to access data of 15 million T-Mobile cellular customers that the company was storing.

As a consequence of that data breach, T-Mobile will have to pay the states US$2.5 million.

The agreement also stipulates Experian has to create and maintain a comprehensive information security program to protect the personal data it holds, and have a CISO who reports at least monthly to the CEO, and at least quarterly to the board, on cyber risks the company faces. There is also a lengthy list of other obligations.

The proposed SolarWinds settlement, which must be approved by a U.S. court, will have provisions that the settlement does not constitute an admission, concession, or finding of any fault, liability, or wrongdoing by the company.

SolarWinds also said it has been notified that the U.S. Securities and Exchange Commission (SEC) has made a preliminary decision to recommend filing an action alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements from the incident, as well as relating to the company’s internal controls and disclosure controls and procedures.

SolarWinds said it maintains that its disclosures, public statements, controls and procedures were appropriate and will submit a response to the SEC staff’s position.

An estimated 18,000 organizations that used Orion installed an infected update after a Russian-based threat group evaded security controls and compromised the Orion update mechanism. Of those organizations, it is believed 100 were hacked.

In a commentary, John Pescatore of the SANS Institute wrote that the US$26 million settlement cost alone “is many times more than SolarWinds would have spent to prevent this incident. That $26M is likely less than 20 per cent of SolarWinds’ total costs for failing to protect its development systems and product code, but raises a key point: more of these lawsuits are starting to succeed, so we are seeing more settlements.”

His colleague at the institute, Lee Neely, wrote that the total expense of the attack to SolarWinds will be “staggering, when you include this settlement, regulatory fines, remediation costs and lost business. The message here – make sure that you’re leveraging guidance on securing your supply chain. Whether a developer, distributor or consumer, nobody gets a free ride. If you see weaknesses in your processes, use the lessons learned from SolarWinds to build a case to take action, including taking a pass on suppliers and developers who are not doing their part to ensure their software is genuine and securely maintained/delivered.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.