SolarWinds to pay US$26 million over Orion compromise

Share post:

The cost to American companies from shareholder and regulator lawsuits for being hit by cyber attacks is being revealed.

SolarWinds said it has entered into a binding agreement to pay US$26 million to investors to settle a class action lawsuit stemming from the 2020 compromise of the update mechanism of its Orion network management platform.

Separately, credit reporting company Experian reached a US$13.6 million settlement with 40 U.S. states arising from two incidents: a 2012 hack where a person posed as a private investigator to access sensitive personal information, and a 2015 hack where an attacker was able to access data of 15 million T-Mobile cellular customers that the company was storing.

As a consequence of that data breach, T-Mobile will have to pay the states US$2.5 million.

The agreement also stipulates Experian has to create and maintain a comprehensive information security program to protect the personal data it holds, and have a CISO who reports at least monthly to the CEO, and at least quarterly to the board, on cyber risks the company faces. There is also a lengthy list of other obligations.

The proposed SolarWinds settlement, which must be approved by a U.S. court, will have provisions that the settlement does not constitute an admission, concession, or finding of any fault, liability, or wrongdoing by the company.

SolarWinds also said it has been notified that the U.S. Securities and Exchange Commission (SEC) has made a preliminary decision to recommend filing an action alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements from the incident, as well as relating to the company’s internal controls and disclosure controls and procedures.

SolarWinds said it maintains that its disclosures, public statements, controls and procedures were appropriate and will submit a response to the SEC staff’s position.

An estimated 18,000 organizations that used Orion installed an infected update after a Russian-based threat group evaded security controls and compromised the Orion update mechanism. Of those organizations, it is believed 100 were hacked.

In a commentary, John Pescatore of the SANS Institute wrote that the US$26 million settlement cost alone “is many times more than SolarWinds would have spent to prevent this incident. That $26M is likely less than 20 per cent of SolarWinds’ total costs for failing to protect its development systems and product code, but raises a key point: more of these lawsuits are starting to succeed, so we are seeing more settlements.”

His colleague at the institute, Lee Neely, wrote that the total expense of the attack to SolarWinds will be “staggering, when you include this settlement, regulatory fines, remediation costs and lost business. The message here – make sure that you’re leveraging guidance on securing your supply chain. Whether a developer, distributor or consumer, nobody gets a free ride. If you see weaknesses in your processes, use the lessons learned from SolarWinds to build a case to take action, including taking a pass on suppliers and developers who are not doing their part to ensure their software is genuine and securely maintained/delivered.”

The post SolarWinds to pay US$26 million over Orion compromise first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs



Related articles

Gartner debunks myths undermining cybersecurity success

Henrique Teixeira, Senior Director Analyst at Gartner, and Leigh McMullen, Distinguished VP Analyst at Gartner, highlighted and disproved...

Toyota discloses customer data breach

Toyota has disclosed that customer information from Japan and other countries in Asia and Oceania was publicly available...

Critical Vulnerability found in MOVEit

Progress Software has warned about a critical vulnerability in its popular file-transfer software, MOVEit, which could allow malicious...

Canadian Defence Minister concerned over increasing cyberattacks

Canadian Defence Minister Anita Anand has issued a warning that the country's key infrastructure is more vulnerable to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways