The U.S. Securities and Exchange Commission (SEC) has charged four companies—Unisys Corp, Avaya Holdings, Check Point Software, and Mimecast—for allegedly misleading investors regarding the impact of cybersecurity breaches linked to the 2020 SolarWinds Orion hack. According to the SEC’s announcement, these companies made misleading disclosures about the extent of the breaches they experienced during the supply chain attack, which compromised many organizations, including U.S. government agencies.

Unisys was further charged with failing to maintain proper disclosure controls and procedures. The companies have agreed to settle the charges by paying civil penalties, with Unisys paying $4 million, Avaya $1 million, Check Point $995,000, and Mimecast $990,000.

The SEC investigation revealed that in 2020, Unisys, Avaya, and Check Point became aware that the hackers, likely responsible for the SolarWinds attack, had unauthorized access to their systems, while Mimecast discovered this in 2021. However, each company negligently downplayed the severity of the breach in their public communications. For instance, Unisys described the risks as hypothetical despite having experienced two SolarWinds-related data exfiltrations. Avaya minimized the breach by claiming only limited email access when, in fact, 145 files were compromised. Check Point similarly downplayed its breach by using vague language, while Mimecast did not fully disclose the nature of stolen code and the number of credentials accessed.

The SolarWinds attack, attributed to Russian state-sponsored hackers (APT29), infiltrated SolarWinds’ Orion platform, affecting around 18,000 organizations through malicious updates between March and June 2020. High-profile victims included Microsoft, FireEye, and multiple U.S. government agencies.