Investor launches class-action lawsuit against SolarWinds over hack

SolarWinds' corporate headquarters in Austin, Texas. (Image credit: Travel_with_me/Shutterstock.com)

An investor in SolarWinds today filed a class-action lawsuit against the company and two top executives claiming SolarWinds made "materially false and misleading statements" about their security measures.

The plaintiff, Timothy Bremer, who filed the suit in a district court in Texas, cites reporting by Reuters that stated a security researcher alerted the company that its update server could be breached using the password "solarwinds123." The story also quotes a separate cybersecurity executive saying, "days after SolarWinds realized their software had been compromised, the malicious updates were still available for download."

Despite this, the lawsuit claims, SolarWinds executives did not disclose the vulnerability to the public or its customers.

The lawsuit names the company, Kevin Thompson, the chief executive officer, and J. Barton Kalsu, the chief financial officer, as defendants.

Shortly after the breach in SolarWinds Orion, an IT management software, became public in December, the company said in an SEC filing it believes up to 18,000 of its customers may have downloaded the malicious code.

Microsoft and Cybersecurity firm FireEye have both been investigating the ongoing breach that compromised multiple federal agencies. Those companies have estimated about 40 and 50 organizations, respectively, were actively victimized by hackers.

The New York Times reported over the weekend the intelligence community now believes the hack "affected upward of 250 federal agencies and businesses."

Microsoft declined to comment on its previous estimate.

A spokeswoman for FireEye today declined to provide an updated figure. "There are a number of estimates going around based on different visibility. These should be viewed still as estimates at this point and variance is normal," she added.