SolarWinds pays US$26 million for Orion breach

Losses for American companies due to shareholder and regulatory lawsuits hit by cyberattacks are becoming apparent.

SolarWinds said it has entered into a binding agreement to pay investors US$26 million to settle a class action lawsuit arising from a 2020 infringement of its Orion network management platform update mechanism.

Separately, credit bureau Experian reached a US$13.6 million settlement with 40 US states. This is his 2012 hack, where a person posed as a private investigator to access sensitive personal information, and the 2015 hack, where an attacker was able to access the data. Of his 15 million T-Mobile cellular customers the company had in custody,

As a result of this data breach, T-Mobile will have to pay the state $2.5 million.

The agreement requires Experian to create and maintain a comprehensive information security program to protect personal data in its possession, and to report to the CEO at least monthly and at least quarterly on the cyber risks the company faces. It also stipulates that a CISO reporting to the board of directors must be placed within the company. There is also a long list of other obligations.

The proposed SolarWinds settlement is subject to U.S. court approval, provided that the settlement does not constitute an admission, concession, or admission of negligence, liability, or wrongdoing by the company. .

SolarWinds has also filed a lawsuit with the U.S. Securities and Exchange Commission (SEC) alleging that the company’s cybersecurity disclosures and public statements from the incident violated certain provisions of U.S. federal securities laws. It said it had been informed that it had made a preliminary decision to recommend. , and related to the Company’s internal control and disclosure controls and procedures.

SolarWinds argued that its disclosures, public statements, controls, and procedures were adequate and said it would file a response to the SEC staff’s position.

After a Russian-based threat group evaded security controls and compromised Orion’s update mechanism, an estimated 18,000 organizations using Orion installed the infected update. Of these organizations, 100 are believed to have been hacked.

John Pescatore of the SANS Institute said in a comment that the $26 million settlement cost alone is “many times what SolarWinds would have spent to prevent this incident. It may be less than 20% of the total cost of failing to protect SolarWinds’ development systems and product code, but it raises an important point: as many of these lawsuits are beginning to succeed, We will see more settlements.”

Lee Neely, a colleague of his at the Institute, said the total cost of the attack on SolarWinds would be staggering, including this settlement, regulatory fines, remediation costs, and lost business. The message here – make sure you’re taking advantage of guidance to secure your supply chain, whether you’re a developer, distributor or consumer, there’s no free riding, there’s a weak spot in the process. In some cases, use the lessons learned from SolarWinds to take action, such as passing on idle suppliers and developers, to ensure the software is authentic and maintained/delivered securely. Please create a case to wake it up.”