Complaint says SolarWinds downplayed security concerns
The complaint alleges SolarWinds public statements about its cybersecurity practices and risks were “at odds with its internal assessments”. An internal presentation developed by the company engineers in 2018, for instance, proved SolarWinds (and Brown) had knowledge of security risks within its core products.
SolarWinds’ remote access setup was found to be “not very secure” and that someone exploiting the vulnerability “can basically do whatever without (us) detecting it until it’s too late,” which could lead to “major reputation and financial loss” for the company, the SEC complaint said while quoting SolarWinds’ internal documents.
Additionally, Brown himself was found to have made internal presentations in 2018 and 2019, stating that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “access and privilege to critical systems/data is inappropriate.”
“Brown and other SolarWinds employees knew that SolarWinds had serious cybersecurity deficiencies,” the complaint said. “Internal emails, messages, and documents describe numerous known material cybersecurity risks, control issues, and vulnerabilities. These internal statements dramatically contradict SolarWinds’ public disclosures relating to its cybersecurity practices, risks, controls, and vulnerabilities.”
In June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “(our) backends are not that resilient,” according to the complaint.
“The volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve,” an internal document shared with Brown and others two months later stated.