SolarWinds to Go Private for $4.4BSolarWinds to Go Private for $4.4B

NEWS BRIEF

SolarWinds, the software and IT company that faced a major supply chain cyberattack in 2020, today announced that it will be acquired by Turn/River Capital for $4.4 billion, or $18.50 per share.

Along with unanimous approval from its board of directors, the transaction also received written approval from Thoma Bravo and Silver Lake, SolarWinds' majority shareholders with a combined 65% of the outstanding voting securities.

SolarWinds will become a privately held company, no longer listed on the New York Stock Exchange, though it will continue to operate under the name SolarWinds and stay headquartered in Austin, Texas.

"This successful transaction and exciting partnership are testaments to our employees' outstanding work of building exceptional solutions and delivering great customer success," said Sudhakar Ramakrishna, president and CEO of SolarWinds, in a statement. "We are confident that Turn/River's expertise and growth orientation will help us ensure SolarWinds continues to drive innovation and deliver even greater value for customers and stakeholders."

The Sunburst Attack Continues to Burn

In 2020, roughly 33,000 of SolarWinds' customers were impacted in a major supply chain attack, affecting thousands of organizations as well as the US government. The breach targeted the SolarWinds Orion management system, where it is believed that Nobelium, a nation-state hacking group, gained access to the company's networks in September 2019.

The attackers inserted malicious code, known as Sunburst, into the Orion system, infecting a software update that led to the compromise of all software builds for versions 2019.4 HF 5 through 2020.1.1. More than 18,000 SolarWinds customers installed these updates, creating a domino effect in those that fell victim to the attack. Years later, in 2023, the Securities and Exchange Commission (SEC) charged SolarWinds and its CISO Tim Brown with fraud and internal control failures, alleging that by ignoring warnings about the company's vulnerable cybersecurity posture, Brown knowingly left the company unprotected.

This breach has had lasting impacts in the cybersecurity industry, and though the attack occurred nearly five years ago, the SEC continues to review the details. Last October, the SEC charged four companies — Unisys, Avaya Holdings Corp., Checkpoint, and Mimecast — for what the regulator said were intentional attempts to minimize the impact of the hack to their systems. It also vowed to deter other companies from submitting vague data breach disclosures after major events like SolarWinds.