Naming All Entities Harmed in 2020 Cyberattack ‘Not Necessary,’ Say SEC, SolarWinds

The SEC and defendant SolarWinds are pushing back against a U.S. district judge's request for information about any entities that may have been affected in the 2020 Sunburst cyberattack. The parties understand that the judge seeks the information to assess any conflicts that could affect his future participation in this case, they said in a joint letter Tuesday to U.S. District Judge Paul Engelmayer for Southern New York in Manhattan (docket 1:23-cv-09518). It’s the parties’ position that identifying all entities potentially affected by the Sunburst attack isn’t necessary “for purposes of assessing conflicts,” said the letter. SolarWinds further notes that providing that information to the court “would be unduly burdensome” and could “impinge on customer confidentiality requirements,” it said. The parties aren’t "presently aware" of any entities affected by the Sunburst attack other than those described in the SEC’s complaint, it said. The SEC alleges that SolarWinds and Timothy Brown, its chief information security officer, were guilty of SEC Act violations by covering up the company’s security vulnerabilities in the years leading up to the cyberattack (see 2310310041).