The Orion software platform has been compromised, according to a press release and SEC disclosure issued by its provider – SolarWinds Corporation.
Orion is used by thousands of organisations internationally to monitor their IT networks and systems from a single, central platform. Customers include many arms of the US Government and many Fortune 500 companies.
According to the SEC release, malicious code was surreptitiously embedded into Orion updates released between March and June 2020. Any organisations that downloaded, implemented or updated their Orion products during this period were therefore unknowingly introducing the vulnerability and compromising their systems. SolarWinds further stated that some 18,000 customers were impacted having installed the infected update (out of the 33,000 customers notified of the compromise). SolarWinds confirmed it has has over 300,000 customers worldwide. At the moment, it is still not clear how SolarWinds’ Orion software build system was compromised.
The attack exposes the vulnerability of the supply chain and the potential for a single compromise at source to cause significant issues to tens of thousands of enterprise customers. Detecting vulnerabilities is difficult enough, and organisations already face challenges where known vulnerabilities in software are exploited before they are able to install patches or indeed before patches are developed. The targeting of unpatched Citrix servers for ransomware is a recent example from earlier this year. The SolarWinds incident adds a further complication and will cause organisations to question whether they can blindly rely on upgrades from trusted providers (upgrades which, all things being equal, should strengthen, not weaken, their systems). Alterations made and vulnerabilities introduced at source obviously compromise the entire supply chain, even if organisations otherwise have robust security in place – the maxim that you are only as strong as your weakest link is ever true. Moreover, it highlights the issue that the battle for security is fought on multiple fronts simultaneously. The human exposure is well understood, but this is a timely reminder that even the best internal systems and controls might be powerless against an insidious vulnerability coded into otherwise reliable software.
This year has already seen organisations fall foul of security breaches suffered by their third party providers. In May 2020, Blackbaud, a provider of software and cloud hosting services, had customer data stolen from its network with a threat for it to be published online. It was accompanied with an unsuccessful attempt to encrypt its network to block customers from their data and servers. While the ransomware attempt was prevented, Blackbaud announced that it paid a ransom to prevent public disclosure of the stolen customer data. In the meantime, its customers were left to assess their own obligations to the entities and individuals whose data they held on Blackbaud systems as well as regulators across the globe.
There are various legal issues that these type of systemic compromises present. Lack of clear information about the scope of the cyber event is a good starting point. In circumstances where organisations make use of the services provided by the compromised third party, that third party will be closest to the key information, even while the organisations are feeling the effects of valued systems being offline, or left vulnerable. It will be hard for those organisations to assess their exposure, update their own customers, or otherwise manage the fallout of the incident if they are left in the dark. Equally, however, the third party requires time to investigate the issue in order to provide any appropriate updates. In the meantime, however, the organisations may be left assessing their regulatory or contractual notification obligations as well as their liability and reputational risks in something of a vacuum.
In the EU and the UK, the GDPR assumes that businesses will have addressed these issues in contract, and a transparent flow of information will allow all concerned expeditiously to meet their regulatory obligations. In practice, however, this rarely happens. This means that organisations are faced with the challenges of dealing with the consequences of an issue that may not be their fault. When those challenges include claims from their own customer and/or regulatory scrutiny, the stakes are comparatively high. This is particularly so when factoring in any contractual limitations of liability that might be present in the agreement with the third party supplier.
The full extent of the SolarWinds fallout remains to be seen. The novel nature of the issue, combined with the number of impacted organisations (including Governmental bodies and a cross-section of Fortune 500 companies), will mean that supply chain risks receive new attention. Whether these types of systemic risks can be properly addressed in the future depends on everyone’s willingness to learn from these types of breaches. In the meantime, the impacted customer organisations will be assessing their exposures including any regulatory notification obligations and contacting their cyber response specialists.