Important Takeaways
- For downplaying the impact of a statewide attack, four US tech corporations were punished.
- The SEC discovered that the businesses had neglected to inform their customers about the consequences of the SolarWinds Orion hack.
- Unisys, Avaya, Check Point, and Mimecast have all been ordered by the SEC to pay fines totaling up to $4 million.
Four US corporations have been penalized by the SEC for sharing “misleading” statements with impacted customers and denying involvement in a significant data breach.
Four American companies were charged by the Securities and Exchange Commission today for minimizing the impact of a massive hack that impacted thousands of organizations, including several US government institutions. The penalties imposed on the four businesses found liable for disseminating “misleading” information regarding the 2020 attack of SolarWinds’ Orion software range from $0.99 to $4 million.
Among the four businesses are:
Unisys, an IT supplier and consultancy firm; Avaya Holdings, a business communications software provider; Check Point Software, a security management company; and Mimecast, an email management company.
Companies were required by the SEC to fully disclose data breaches to their shareholders and other members of the investing public in order to shield them from future harm.
According to the SEC’s rulings, these corporations failed to disclose the full extent of the incidents to investors by making false statements about them. The SEC’s Division of Enforcement’s interim director, Sanjay Wadhwa, wrote. It further stated that the corporations did not bring up the SolarWinds Orion hack with their customers, even after learning about it in 2020.
Although Unisys was fully aware of at least two infiltration incidents that resulted in the theft of “gigabytes of data” from its systems, the regulator points out that Unisys labeled the occurrence as “hypothetical.” Because of this, the company receives the largest fine of $4 million, or around 1% of its current market value. Despite having bigger footprints, the other businesses receive comparatively less tortious fines.
Unisys was fined $4 million in addition to:
$1 million will be paid by Avaya Holdings Corp., while $995,000 will be paid by Check Point Software Technologies Ltd.
Mimecast Ltd. faces a penalty of $990,000.
By giving “half truths,” the firms were found to have broken the Securities Act of 1933 and the Securities Exchange Act of 1934.
What was the Orion hack for SolarWinds?
One of the most significant cybersecurity events of the twenty-first century is thought to have been the SolarWinds Orion breach. Networks belonging to SolarWinds, which provides IT and network management solutions to tens of thousands of commercial clients and numerous government entities at the local, state, and federal levels, were compromised by a hacker collective known as Nobelium. Among the well-known companies that were attacked were Cisco, Dell, Intel, and Microsoft. Attacks are thought to have targeted government organizations, including the Departments of Treasury, Homeland Security, and Commerce.
The Orion software from SolarWind was the explicit target of the hackers, who hid malware in a software update that was later sent to thousands of users. The problem was initially disclosed by cybersecurity firm FireEye.
Up to 18,000 of Orion’s approximately 33,000 customer organizations at the time were thought to have been affected by the hack, according to an SEC filing. They included the four companies that were penalized. The fact that, in addition to SolarWinds’ clients, the assault may have compromised the data of countless others who used similar services added to the agony of the strike.
