SolarWinds Orion Cyberattack Securities & Consumer Class Action Litigation
Case Overview
In December 2020, cybersecurity firm FireEye revealed one of the most consequential cyberattacks in history: threat actors, widely attributed to Russia's SVR intelligence service, had inserted malicious code (dubbed 'SUNBURST') into routine software updates for SolarWinds' Orion platform — a widely deployed IT monitoring tool used by Fortune 500 companies and major U.S. federal agencies including the Treasury, Commerce, and Homeland Security Departments. The tainted updates were distributed to approximately 18,000 customers beginning as early as March 2020, giving attackers stealthy, persistent access to victim networks for months. The breach exposed sensitive government communications, intellectual property, and confidential data on a massive scale.
Securities class action plaintiffs — SolarWinds investors who suffered stock price losses after the disclosure — alleged that SolarWinds and its executives had made materially false statements about the company's cybersecurity controls and data protection practices in SEC filings and public statements, in violation of Sections 10(b) and 20(a) of the Securities Exchange Act of 1934. SolarWinds agreed to pay $26 million to settle the securities class action, which received final court approval. Separately, the SEC brought its own enforcement action against SolarWinds and its CISO. The case has become a defining benchmark for corporate cybersecurity disclosure obligations and director/officer liability following a major breach.
Who May Qualify
Investors who purchased or acquired SolarWinds Corporation common stock or other publicly traded securities between October 18, 2018, and December 17, 2020 (the class period), and suffered losses when the company's stock price declined following the public disclosure of the SUNBURST cyberattack. The securities settlement class period and claims deadline are now closed.
Frequently Asked Questions
What was the SolarWinds SUNBURST cyberattack?
SUNBURST was a sophisticated supply-chain cyberattack in which hackers attributed to Russian intelligence inserted malware into SolarWinds' Orion software updates, compromising roughly 18,000 organizations — including multiple U.S. federal agencies — from as early as March 2020 through December 2020 when the attack was discovered.
Did SolarWinds settle the class action lawsuit?
Yes. SolarWinds agreed to pay $26 million to settle a securities class action brought by investors who alleged the company misrepresented its cybersecurity practices. The settlement received final court approval, though the claims period is now closed.
Did the SEC take action against SolarWinds after the cyberattack?
Yes. The SEC filed an enforcement action against SolarWinds and its Chief Information Security Officer (CISO) Tim Brown, alleging fraud and internal control failures related to cybersecurity disclosures. This case was closely watched as a signal of the SEC's intent to hold companies and individual executives accountable for inadequate cyber-risk disclosures.