When an organization suffers a data breach, there are almost certainly two things that will follow. The first is incident response to properly manage the situation. And the second is a lawsuit from angered customers or investors who had their information stolen or lost some money.
This is exactly the kind of situation that is currently playing out with SolarWinds after the company's supply chain cyberattack and subsequent data breach.
Investor class-action lawsuit against SolarWinds
Investors in SolarWinds lost money and have filed a class-action lawsuit against the company.
The lawsuit was filed specifically by investors who acquired stock in the company between February 24, 2020, and December 15, 2020.
SolarWinds shares saw a significant decrease following the disclosure of the breach, dropping from $24 down to $18 per share.
The lawsuit refers to financial reports that SolarWinds filed while the cyber actors had access to its systems. It accuses company executives of failed cybersecurity practices and alleged misleading statements:
"Made false and/or misleading statements and/or failed to disclose that: (1) since mid-2020, SolarWinds Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran; (2) SolarWinds' update server had an easily accessible password of 'solarwinds123'; (3) consequently, SolarWinds' customers, including, among others, the Federal Government, Microsoft, Cisco, and Nvidia, would be vulnerable to hacks; (4) as a result, the Company would suffer significant reputational harm; and (5) as a result, Defendants' statements about SolarWinds's business, operations and prospects were materially false and misleading and/or lacked a reasonable basis at all relevant times."
In addition to the things listed here, some third parties have come forward to say they tried to warn SolarWinds of its potential cyber risks, but those warnings were allegedly ignored by the company.
Scope of the SolarWinds attack
SolarWinds says approximately 18,000 customers may have received trojanized product updates delivered by the attackers through the SolarWinds Orion platform. However, the number of organizations affected by an activated follow-on attack is likely much lower yet significant.
The New York Times recently reported that more than 250 organizations had the cyberattack's second stage activated within their servers.
This means more lawsuits may be in the works to recover damages from SolarWinds.