Kaseya may be in hot water, as the fallout of the REvil attack reveals new information about the events leading up to the breach. Former employees have come forward claiming that the company knew of the flaws as early as 2017 but took no action.
The claim was made by five former employees, to Bloomberg, in a report released Saturday.
The employees claimed that they flagged many cybersecurity concerns to company leaders between 2017 and 2020, with no action taken.
The most serious issues that they flagged involved the use of outdated code, weak encryption, and passwords in products and servers, failure to stick to basic security practices (like regular patching), and a focus on sales over other aspects of the business.
Kaseya has not made any comment regarding the claims and said to Bloomberg that it has a policy of not commenting on matters relating to personnel or the ongoing criminal investigation into the attack.
The Dutch Institute for Vulnerability Disclosure disclosed on July 7 that it had informed Kaseya of the vulnerabilities in April.
Cause for legal action
Kaseya told the DIVD researchers that the issues had been patched. However, three months later, REvil struck, utilizing one of the flaws DIVD had reported. As has been shown, Kaseya failed to act, whether through negligence or accident.
The question raised becomes that of whether the company is liable for what happened, especially given the fact that there could be data theft in this recent attack.
Since former employees are accusing the company of not acting, the chances that Kaseya could face legal action go up. Estimates still place the number of downstream Kaseya customers affected at 1,500.