Unisys, Check Point, Mimecast, Avaya Fined By SEC Over SolarWinds-Related Breaches

The SEC announced penalties of $4 million for Unisys and roughly $1 million apiece for Avaya, Check Point and Mimecast over what the agency said were ‘materially misleading disclosures’ after the series of attacks in 2020 and early 2021.

The U.S. Securities and Exchange Commission on Tuesday announced penalties against Unisys, Avaya, Check Point Software Technologies and Mimecast over what the SEC said were “materially misleading disclosures” after the series of breaches in 2020 and early 2021 related to the widely felt SolarWinds Orion compromise.

In the attacks, first discovered in late 2020, hackers linked to Russia’s government infiltrated SolarWinds’ software supply chain and infected the company’s Orion network monitoring software with a malicious impact. The tainted software was then downloaded by thousands of customers, including U.S. government agencies and major corporations, leading to numerous additional data breaches.

In a news release Tuesday, the SEC said that four companies have agreed to settlements related to their disclosures over the breaches, which include payments of a civil penalty by each company. Cybersecurity vendors Check Point and Mimecast each agreed to pay just shy of $1 million, while IT solution provider Unisys agreed to pay $4 million and unified communications vendor Avaya will pay $1 million.

The companies have been charged by the SEC with “making materially misleading disclosures regarding cybersecurity risks and intrusions” in the wake of the campaign targeting SolarWinds and its customers, the agency said in the news release.

“According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures,” the SEC said.

Check Point, according to the SEC, “knew of the intrusion but described cyber intrusions and risks from them in generic terms.”

In a statement attributed to Gil Messing, chief of staff at Check Point, the security vendor said that “the SEC’s announcement concerns the same issue that we discussed in a 6-K from December 2023, regarding our settlement discussions on the 2020 SolarWinds Orion cyber incident and the question of whether this should have been reported in Check Point’s 2021 20-F Annual Report filing.”

“As mentioned in the SEC’s order, Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed,” Messing said in the statement.

Check Point, however, ultimately decided that “cooperating and settling the dispute with the SEC was in its best interest” in order to keep the focus on securing customers, according to the statement attributed to Messing.

Mimecast, the SEC said, “minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.”

In a statement, Mimecast said that “in responding to the incident in 2021, Mimecast made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected. We believed that we complied with our disclosure obligations based on the regulatory requirements at that time.”

“We resolved this matter to put it behind us and continue to maintain our strong focus on serving our customers,” the company said.

Avaya is accused by the SEC of having “stated that the threat actor had accessed a ‘limited number of [the] Company’s email messages,’ when Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment.”

In a statement provided to CRN, Avaya said that “we are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls.”

Unisys, according to the SEC news release, “described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data.”

The order “also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls,” the SEC said.

A Unisys representative directed CRN to an SEC filing Tuesday, in which Unisys said it “concluded that it is in the best interests of the company and its stockholders to constructively resolve this matter with the SEC.”