The US Securities and Exchange Commission (SEC) has charged four tech companies with making misleading disclosures about the 2019 SolarWinds data breach. The companies, Check Point, Mimecast, Unisys, and Avaya, were victims of the large-scale cyberattack but failed to properly disclose the extent of the breach and its risks in their public filings. Collectively, the four firms will pay over $6.9 million in penalties.

SolarWinds’ Orion software is a widely-used IT management platform that was hacked in 2019. The threat actor was able to penetrate SolarWinds software development infrastructure, and insert malware into a legitimate SolarWinds Orion software update. In March of 2020, the malicious ‘patch’ was distributed, which then could provide backdoor access into the victim’s networks where the adversary could then exfiltrate data. The breach, attributed to a Russian nation-state-backed threat actor known as APT29 or Cozy Bear, affected multiple companies and US government agencies.

While the four companies did suffer cyberattacks as a result of the SolarWinds hack, the SEC found that each had “negligently” downplayed the impact of the breaches in their public disclosures.

According to the SEC, Unisys had experienced two SolarWinds-related cyber intrusions resulting in the exfiltration of gigabytes of data, but the company disclosed its cybersecurity risks as merely “hypothetical” in public filings. The SEC cited Unisys' deficient disclosure controls as a major factor behind its misleading statements.

Avaya, the SEC said, publicly downplayed the extent of its breach, stating that the attackers had accessed only a limited number email messages. In reality, at least 145 files from Avaya's cloud file-sharing environment had been accessed.

Check Point was charged for making generic statements about cyber intrusions, despite knowing of a breach in its own systems. The SEC said Check Point failed to adequately explain the risks posed by the intrusion.

As for Mimecast, the SEC found that the company failed to disclose the sensitive nature of the stolen code and the number of encrypted credentials the attackers accessed. Mimecast first discovered the breach in 2021.

However, the SEC acknowledged that each company cooperated during the investigation, providing voluntary analyses and enhancing their cybersecurity controls in response to the breach.

Avaya’s spokesperson, Julianne Embry, told TechCrunch that the company took steps to improve its cybersecurity measures and appreciated that the SEC recognized its voluntary cooperation. Check Point’s spokesperson, Gil Messing, stated that while the company did not find evidence of compromised customer data, it decided to cooperate fully with the SEC and settle the dispute. Mimecast’s spokesperson, Timothy Hamilton, emphasized that the company was transparent with its customers throughout the breach.

Unisys, which faced the largest fine, declined to comment beyond its official SEC filing, in which it acknowledged the settlement and resolved the investigation.