Avaya Fined $1MN Over the 2020 SolarWinds Hack

The contact center stalwart is one of four tech firms to have received fines for misleading public disclosures relating to the incident

2
Unisys, Avaya , Check Point, and Mimecast Fined Over Security Breaches
Contact CenterLatest News

Published: October 25, 2024

Rory Greener

Rory Greener

Earlier this week, the Securities and Exchange Commission charged Avaya for misleading public disclosures relating to the infamous 2020 SolarWinds hack.

Unisys, Check Point Software Technologies, and Mimecast have also received fines.

Indeed, the Securities and Exchange Commission has hit Unisys with a $4 million civil penalty, Avaya with a $1 million civil penalty, Check Point with a $995,000 civil penalty, and Mimecast with a $990,000 civil penalty-each company in agreement to pay the charges. 

Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, explained the SEC’s actions reflect that “while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”

Wadhwa also added: 

Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.

The Origins of the Breach

The breach originates from security compromises of SolarWinds’ Orion software and other related platform activity that each firm leverages.

The charges note that Avaya – alongside Check Point and Unisys – discovered the security threats in 2020. Meanwhile, Mimecast found out about the breaches in 2021. 

Despite each firm making the SolarWinds Orion hack public knowledge, the SEC fines, namely, relate to how the companies negligently minimized the scale of the breach publicly. 

Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, added: 

Downplaying the extent of a material cybersecurity breach is a bad strategy. In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.  The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.

For example, the charges state that Unisy described the cybersecurity breaches as “hypothetical” despite the exfiltration of “gigabytes of data.” 

Moreover, according to the SEC, Unisys’s misleading public acknowledgment of the attacks originated from “deficient disclosure controls.”

On the other hand, the SEC stated that Avaya explained to its customers that only a “limited number” of email messages were breached despite roughly 145 cloud files being breached.  

Speaking to NJBIZ, Avaya explained its side of the situation by adding:

We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls. Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations.

Additionally, Check Point underplayed the hacks with “generic terms,” and Mimecast minimized the scale of the threat by failing to disclose the nature of the exfiltrated code and the amount of breached encrypted credentials. 

 

Big DataSecurity and Compliance

Brands mentioned in this article.

Featured

Share This Post