The first class-action lawsuit brought against SolarWinds following its breach accuses the company of making materially false and misleading statements about its security posture throughout 2020.
The suit alleges that SolarWinds, outgoing CEO Kevin Thompson and CFO Barton Kalsu made “false and/or misleading” statements in regulatory filings with the U.S. Securities and Exchange Commission in February, May, August and November of 2020. The 15-page lawsuit was filed Monday in U.S. District Court for the Western District of Texas.
“[SolarWinds] mispresented and failed to disclose the following adverse facts pertaining to the company’s business, operations, and prospects, which were known to Defendants or recklessly disregarded by them,” the 15-page lawsuit claimed.
The class-action complaint was brought on behalf of Timothy Bremer, a resident of Jefferson County, Kentucky who bought two shares of SolarWinds stock on Sept. 23 at $19.93 per share and 38 shares of SolarWinds stock on Oct. 22 at $21.54 per share. SolarWinds traded at just $14.53 per share at the close of market Monday, down 38.3 percent from $23.55 per share the day before the hack became public.
“As a result of Defendants’ wrongful acts and omissions, and the precipitous decline in the market value of the Company’s securities, Plaintiff and other Class members have suffered significant losses and damages,” the suit filed by Kristine Rogers of Dallas-based commercial law firm Steckler Wayne Cochran alleges.
The lawsuit accuses SolarWinds and its top executives of failing to disclose that, since mid-2020, the company’s Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran. The suit also claims that SolarWinds’ update server had an easily accessible password of ‘solarwinds123,’ citing the findings of security researcher Vinoth Kumar.
The lawsuit also references the finding by Huntress co-founder Kyle Hanslovan that malicious Orion updates were still available for download days after SolarWinds realized its software had been compromised. Consequently, the lawsuit states that SolarWinds customers including the federal government, Microsoft, Cisco and Nvidia were vulnerable to hacks.
“Defendants’ statements about SolarWinds’s business, operations and prospects were materially false and misleading and/or lacked a reasonable basis at all relevant times,” the lawsuit alleged. “As a result, the Company would suffer significant reputational harm.”
The lawsuit asks a jury to consider whether the price of SolarWinds stock was artificially inflated from Feb. 24, 2020, to Dec. 15, 2020, based on SolarWinds’ conduct detailed in the complaint. Had Bremer or others been aware that the market price of SolarWinds’ stock had been artificially inflated by misleading statements and inadequate disclosures, they wouldn’t have purchased the company’s stock at all.
Specific to CEO Thompson and CFO Kalsu, the lawsuit states that both executives knew adverse non-public information about SolarWinds’s corporate, governance and business prospects because of their senior positions. Based on Thompson and Kalsu’s positions, the lawsuit said they had control over the contents of the various reports, press releases and public filings which SolarWinds disseminated in 2020.
“Each of the Individual Defendants … was aware of or recklessly disregarded the fact that the false and misleading statements were being issued concerning the Company; and/or approved or ratified these statements in violation of the federal securities laws,” the lawsuit alleges.
SolarWinds did not address the lawsuit directly, but said in a statement that it is “solely focused on helping the industry and our customers understand and mitigate this attack, and quickly released hotfix updates to customers that we believe will close the vulnerability. We have also taken a number of steps to further secure our network and products, including through advanced endpoint detection and monitoring tools.“