SEC Accuses Four Firms of Downplaying SolarWinds-Related Hacks

October 23, 2024 by

Four hacked companies will pay a total of almost $7 million to settle US Securities and Exchange Commission allegations that they downplayed the significance of the cyberattacks, the latest fallout from the massive SolarWinds Corp. breach.

Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd. and Mimecast Ltd. misled the public about the seriousness of the attacks when the actors behind the SolarWinds hack breached their systems in 2020 and 2021, the SEC said Tuesday. The companies settled with the regulator without admitting to or denying the allegations.

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” Jorge Tenreiro, acting chief of the SEC’s crypto assets and cyber unit, said in a statement.

The regulator said Unisys in 2020 and 2021 financial filings described its risks from cybersecurity events as hypothetical even though it knew hackers had extracted data from the company and accessed files and mailboxes of senior IT personnel. These misleading disclosures stemmed from deficient controls, the SEC said.

An attorney for Unisys, a tech consulting company, didn’t immediately respond to a request for comment. In a regulatory filing on Tuesday, the firm said the SEC recognized its cooperation in the investigation and the steps it had taken to improve disclosure policies and strengthen cybersecurity risk management.

‘Limited Number’

Avaya, a digital communications services firm, will pay $1 million. In early 2021, it said it had investigated suspicious activity and unauthorized access to “a limited number” of company email messages. The threat actor accessed at least 145 files, the SEC said.

On Tuesday, the company said in a statement that it was pleased to have resolved the probe and “continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations.”

An attorney for Mimecast, a cloud security firm that was taken private in 2022, declined to comment. The company in 2021 had failed to disclose the nature of the code the hacker accessed and the number of encrypted credentials that got hacked, according to the SEC.

It agreed to pay $990,000, the SEC said. Check Point, an IT security products company, also has settled and will pay $995,000.

When Check Point investigated its breach, it didn’t find evidence that any customer data, code or other sensitive information was accessed, the company said in a statement Tuesday.

“Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world,” the company said.

The SolarWinds breach affected hundreds of public companies and numerous government agencies. The SolarWinds attack was disclosed in December 2020.

Photo: Photographer: Chris Ratcliffe/Bloomberg