Connect with us

Hi, what are you looking for?


SEC Reportedly Probing SolarWinds Breach | Hacking

By John P. Mello Jr.

Jun 23, 2021 4:00 AM PT

Clients of SolarWinds, which experienced a high-profile data breach last year, are being targeted in a probe by the U.S. Securities and Exchange Commission, according to a Reuters report.

The investigation is focusing on whether some of the companies doing business with the network management software maker failed to disclose they were affected by the attack, Reuters reported Monday, citing two anonymous sources familiar with the investigation.

Those sources revealed that the SEC sent letters last week to a number of public companies and investment firms asking them to voluntarily acknowledge if they had been victims and failed to disclose it.

“The SEC deciding to investigate a public enterprise breach is pretty significant, considering there could be financial implications from this breach that could affect a company’s future,” Piyush Sharrma, co-founder of Accurics, a cyber resilience company in Pleasanton, Calif. told TechNewsWorld.

“The impact of these large-scale breaches clearly has the potential to destabilize stock prices and the broader stock market, so it makes sense that the SEC would pursue such a line of inquiry,” added Oliver Tavakoli, CTO of Vectra AI, a provider of automated threat management solutions in San Jose, Calif.

As cyberattacks continue to grow in sophistication and cost, it is significant that the SEC is aware of security breaches and is proactively requesting information about them, maintained Bryce Hancock, COO of Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.

“This is important from a disclosure standpoint, as well as raising the awareness of the importance of creating a culture of cybersecurity,” he told TechNewsWorld.

Advertisement. Scroll to continue reading.

The SEC did not respond to a request for comment for this story.

Question of Reach

James McQuiggan, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla. explained that SolarWinds has thousands of customers, many of them likely publicly traded companies.

“While the SolarWinds breach itself was heavily in the news, it was not well known if the other organizations came forward to report that they were breached,” he told TechNewsWorld.

“However, the SEC requires organizations to have disclosure procedures, as they are required to report any data breaches or cyber incidents,” he continued.

“Ironically, the company may report to the SEC that they experienced a breach,” he added, “but may not disclose it publicly if it did not involve losing any privacy-controlled data, like names or emails.

Brent Johnson, CISO of Bluefin, a data security company in Atlanta, explained that a probe into the SolarWinds breach isn’t entirely unexpected, since the agency has fined companies in the past for failing to disclose data breaches.

“What is different this time around is the breadth of companies impacted by the SolarWinds incident,” he told TechNewsWorld.

“Confusion around whether running affected software versions impacted different companies’ user bases has likely raised a lot of questions around the true reach of the hackers here,” he told TechNewsWorld.

Sunburst Backdoor

The attack on SolarWinds Orion platform was disclosed in December. The platform is commonly used to manage complex switched and routed network architectures.

Advertisement. Scroll to continue reading.

Because of the sophistication of the attack, it’s suspected that the operation was backed by a nation-state.

What SolarWinds discovered was that hackers were able to penetrate its software development infrastructure and bolt a malware program, known as Sunburst, into a legitimate software update for Orion.

In March of 2020, the malicious software patch was distributed to SolarWinds’ customers. The patch set up a backdoor to the systems it infected, which gave the hackers a means for stealing data from those systems.

McQuiggan noted that the SEC has required the reporting of data breaches to the agency since February 2018.

“However,” he continued, “with the SolarWinds attack being so prominent in the industry, the SEC may realize that there should be a significantly higher number of organizations that have yet to report if a breach impacted them via the Sunburst exploit.”

“This is not entirely new territory for the SEC, as it has sued companies related to breach disclosure and failure to adopt proper cybersecurity policies at least as far back as a decade ago,” added Tavakoli.

“But,” he told TechNewsWorld, “this push feels more expansive and different than the ad hoc approaches of the past.”

Far Reaching Request

In addition to requesting voluntary disclosures, Reuters reported that the SEC is seeking information from victims of the attack as to whether they experienced a lapse of internal controls, as well as any insider trading data.

Reuters also reported the SEC is looking at some companies’ policies to determine if they’re designed to protect customer information.

Advertisement. Scroll to continue reading.

“I do find the internal controls piece interesting,” Johnson said. “While a supply chain attack may be difficult to detect from an internal controls perspective, a company’s ability to investigate, respond, and notify once the vulnerability has been detected could be under scrutiny.”

Sharrma maintained that the SEC is trying to understand if state threat actors were involved in the breach. He acknowledged, however, “Enforcing controls and policies could be more complicated because every control may not apply to every enterprise.”

“I think they’re interested in learning, understanding and evaluating the impact of the breach, rather than enforcing security policies,” he added.

Tavakoli called the SEC’s information requests “far reaching.”

“The SEC setting a clearer bar for what constitutes reasonable cybersecurity policies and practices has the potential to clarify corporate responsibility to protect shareholder value,” he said.

“Breaches — and insider knowledge about them — can clearly be used to illegally benefit in trading stocks, something that is squarely within the SEC’s remit,” he added.

He also noted that what action the SEC may take against companies that voluntarily admit they failed to disclose the impact of the SolarWinds breach on their operations appears to be fuzzy.

“It’s unclear from the public reports whether companies which now disclose a breach will not be subject to fines — just that the information they provide to the SEC would not be used as a basis for legal action,” he said.

“And companies may still wish to avoid public disclosure and the inevitable raft of civil lawsuits that would ensue from such disclosure,” he added.

John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News
. Email John.


Source link

Advertisement. Scroll to continue reading.

Click to comment

Leave a Reply




Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream. Businesses...

Top Stories

British crypto enthusiasts were busy consolidating and rebalancing during the last gasp of 2021. surveyed 2,013 Internet users in the United Kingdom in...


If you’re looking for a way to kickstart your New Year fitness goals, then Amazon has an Apple Watch Series 7 deal for you....

Online Business Success

The current venture capital bull market is creating extra pressures on entrepreneurs getty Unprecedented levels of investment capital. Record-breaking valuations. Huge personal fortunes. The...

Loan And Finance

Meador will also ensure the continuation of Zurich’s strong relationships with key stakeholders in the agriculture industry, including the US Department of Agriculture, National...


Why it matters: Nvidia gave us little more than a glimpse of its upcoming RTX 3090 Ti at virtual CES earlier this month, but...

Top Stories

BitPay Inc., one of the world’s most well-known crypto payments processors, has seen a shift in the type of digital assets used for purchases...


Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream. Exotec,...


You May Also Like

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

SEO Guide

How to index website on Google? Do you want to drive more organic traffic to your new website? I am sure your answer is...


In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...