Massive SolarWinds Hack Leads to Class-Action Lawsuit

Written by Edward Gately
January 5, 2021

The suit seeks to recover damages for SolarWinds investors under the federal securities laws.

SolarWinds just got hit with a class-action lawsuit related to the hack that has impacted at least 250 federal agencies and businesses.

Kevin Thompson, former SolarWinds president and CEO, and Barton Kalsu, chief financial officer, are also named defendants in the class-action lawsuit. The suit was filed on behalf of stock buyers who acquired publicly traded SolarWinds securities from Feb. 24 to Dec. 15, 2020.

The federal court in the Western District of Texas has jurisdiction over the case. The suit requests a jury trial, and the plaintiffs are seeking damages from the company, Thompson and Kalsu.

SolarWinds isn’t commenting on the suit.

In the SolarWinds hack, the malicious hackers inserted Sunburst malware into the company’s‘ Orion software updates. The updates, released between March and June 2020, went to nearly 18,000 customers.

This led to security breaches at numerous U.S. government agencies. Specifically, the attackers breached the National Telecommunications and Information Administration (NTIA), the Department of Homeland Security (DHS) and more. The attackers also breached SolarWinds’ corporate clients.

The Cozy Bear hacking group, which U.S. authorities suggest gets backing from Russian state intelligence, likely performed the SolarWinds cyberattack.

Plummeting Stock

News of the hack broke on Dec. 13. When SolarWinds disclosed the hack in a Securities and Exchange Commission filing, the company’s stock plummeted.

According to the complaint, the defendants made false and/or misleading statements and/or failed to disclose that:

Since mid-2020, SolarWinds Orion monitoring products had a vulnerability that allowed hackers to compromise the server on which the products ran.
SolarWinds’ update server had an easily accessible password of solarwinds123. Therefore, SolarWinds’ customers, including, among others, the federal government, Microsoft, Cisco and Nvidia, would be vulnerable to hacks.
As a result, SolarWinds would suffer significant reputational harm.
Defendants’ statements about SolarWinds’ business, operations and prospects were materially false and misleading, and/or lacked a reasonable basis at all relevant times.

The suit alleges the individual defendants knew of the material omissions and/or the falsity of the material statements intended to deceive the plaintiff and the other members of the suit.

“As a result of the foregoing, the market price of SolarWinds securities was artificially inflated during the class period. In ignorance of the falsity of defendants’ statements, [the] plaintiff and the other members of the class relied on the statements … and/or the integrity of the market price of SolarWinds securities during the class period in purchasing SolarWinds securities at prices that were artificially inflated as a result of defendants’ false and misleading statements,” the suit reads.