The SEC has charged four companies—Unisys Corp, Avaya Holdings, Check Point Software, and Mimecast—for allegedly misleading investors about the impact of their breaches during the massive 2020 SolarWinds Orion hack.
“The Securities and Exchange Commission today charged four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited – with making materially misleading disclosures regarding cybersecurity risks and intrusions,” announces the SEC in a Tuesday press release.
“The SEC also charged Unisys with disclosure controls and procedures violations.”
These companies agreed to pay civil penalties to settle the SEC’s charges. Unisys will pay $4 million, Avaya will pay $1 million, Check Point will pay a $995,000 civil penalty, and Mimecast will pay a $990,000 penalty.
These fines come after SEC alleged that Unisys Corp, Avaya Holdings, Check Point Software, Unisys Corp, Avaya Holdings, Check Point Software, and Mimecast all downplayed the breaches they suffered during the SolarWinds supply chain attack, leaving investors in the dark about the attack’s potential impact.
“According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures,” continues the SEC announcement.
“The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data.”
The SEC’s investigation found that Avaya claimed that the threat actors only accessed a limited number of email messages when they knew that at least 145 files in its cloud storage environment were accessed as well.
The investigation into Check Point found that the company knew it was breached, but downplayed the impact by using “generic terms.”
For Mimecast, the SEC found that the company downplayed the attack by not disclosing the nature of the code that was stolen and the number of encrypted credentials accessed during the breach.
In 2019, IT software company SolarWinds was breached by the Russian state-sponsored hacking group known as APT29, the hacking division of the Russian Foreign Intelligence Service (SVR).
As part of the attack, the threat actors trojanized the SolarWinds Orion IT administration platform and subsequent updates released between March 2020 and June 2020.
These malicious updates were pushed down to SolarWinds customers to drop a variety of malware, including the Sunburst backdoor onto the systems of “fewer than 18,000” victims. However, the attackers handpicked a substantially lower number of targets for second-stage exploitation.
Multiple companies and U.S. govt agencies later confirmed that they were breached, including Microsoft, FireEye, the Department of State, the Department of Homeland Security (DHS), the Department of the Treasury, the Department of Energy (DOE), the National Institutes of Health (NIH), and the National Nuclear Security Administration (NNSA).