Follow

Kaseya's Staff were fired for pointing out and/or trying to fix the security vulnerability, as early as 2017, that led to thousands of companies being hit with a ransomware attack recently.

gizmodo.com/kaseyas-staff-soun

@thegibson @Theeo123

Jeez.

"One former employee told Bloomberg that in 2019 he sent Kaseya higher-ups a 40-page memo outlining his security concerns, one of several attempts he made during his tenure to convince company leaders to address such issues.

"He was fired two weeks later, a decision he believes was related to these efforts, he said in an interview with the outlet."

@thegibson @Theeo123 From the Bloomberg article:

"Another employee said Kaseya rarely patched its software or servers and stored customer passwords in clear text -- meaning they were unencrypted -- on third-party platforms, practices the employee described as glaring security flaws."

@erosdiscordia @TheGibson @Theeo123 this should be considered criminal negligence, and people from Kaseya's management should go to jail for that.

Of course, that's not going to happen.

@rysiek @thegibson @Theeo123 There really needs to be some sort of lawsuit mounted for this. It's ridiculous.

Depending on the states where affected MSPs were located, I wonder if there is grounds for it?

Listen to this, also from the B article:

"After studying database log files, Weiss [an MSP owner in CA] said he proved to Kaseya that its software was the vector the hackers had used to target his company.

“They didn’t assign anyone to my account or even follow up to make sure everything was going OK,” he said. “I felt like I was on my own.” He subsequently terminated his contract with Kaseya."

@erosdiscordia @TheGibson @Theeo123 some class action, perhaps?

A bit orthogonal, but it's also related to how we talk about such breaches:

"Hackers hacked Kaseya" evokes a different reaction to this than "Kaseya's management was negligent".

#PetPeeve

@rysiek @thegibson @Theeo123 I don't think it would be too difficult to prove that the management failed first, considering how it sounds like they handled prior breaches.

I was thinking a class action. Florida's probably a tough sell, their laws are fucked beyond belief. But CA, NY?

@rysiek @erosdiscordia @thegibson
"Hackers hacked Kaseya" evokes a different reaction to this than "Kaseya's management was negligent".
Valid point!!

@Theeo123 @rysiek @erosdiscordia

Sodinokibi hit Kaseya ina similar attack in 2019. Sodinokibi became Revil last year.

I’m betting we find out they maintained persistence over the 2 year period and planned this attack.

@rysiek @erosdiscordia @thegibson @Theeo123

It will be complex, but certainly can happen.

Kaseya supplied services and software to other companies, and such contracts always contain provisions about data protection and information security. If Kaseya customers choose to sue them for violation of contract, they have huge chances of winning.

@Theeo123 Guess they don't have an intern to blame it all on like SolarWinds.

@thegibson

@Theeo123 Ignorance is bliss*.

* Until you get hit with the ransomware attack.

@Theeo123 The paragraph which really leaped out at me from that article? The one about outsourcing to Belarus.

That part of the timeline meshes pretty well with the start of our organization seriously considering bailing on the product, which up to that point we'd loved and used for a dozen years or so.

I'm so, SO glad we jumped ship in 2019.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!