The giant ransomware attack against Kaseya might have been entirely avoidable. Former staff talking to Bloomberg claim they warned executives of “critical” security flaws in Kaseya’s products several times between 2017 and 2020, but that the company didn’t truly address them. Multiple staff either quit or said they were fired over inaction.
Employees reportedly complained that Kaseya was using old code, implemented poor encryption and even failed to routinely patch software. The company’s Virtual System Administrator (VSA), the remote maintenance tool that fell prey to ransomware, was supposedly rife with enough problems that workers wanted the software replaced.
One employee claimed he was fired two weeks after sending executives a 40-page briefing on security problems. Others simply left in frustration with a seeming focus on new features and releases instead of fixing basic issues. Kaseya also laid off some employees in 2018 in favor of outsourcing work to Belarus, which some staff considered a security risk given local leaders’ partnerships with the Russian government.
Kaseya has declined to comment.
The company has showed signs of wanting to mend issues. It fixed some problems after Dutch researchers pointed out vulnerabilities. It didn’t fix everything, however, and it didn’t take long before analyst firms like Truesec found glaring flaws in Kaseya’s platform. This wasn’t the first time Kaseya faced security issues, either. The company’s software was reportedly used to launch ransomware at least twice between 2018 and 2019, and it didn’t significantly rethink its security strategy.
However accurate the reports may be, Kaseya’s situation wouldn’t be unique. Staff at SolarWinds, Twitter and others have described security lapses that weren’t fixed in time. That just makes the situation worse, mind you. It suggests that key parts of American online infrastructure have been vulnerable due to neglect, and that these basic missteps are all too common.