Software maker Kaseya Ltd. may be in more legal trouble following the REvil ransomware attack after former employees have claimed that they warned executives at the company as early as 2017 about critical flaws but no action was taken.

The claim comes from five former employees who spoke to Bloomberg, which reported it Saturday. The employees claimed that they flagged wide-ranging cybersecurity concerns to company leaders between 2017 and 2020 but they were not fully addressed.

Among the most serious issues are said to have been software using outdated code, the use of weak encryption and passwords through the company’s products and servers, a failure to adhere to basic cybersecurity practices such as regularly patching software, and a focus on sales over other priorities.

Kaseya declined to comment on the report, telling Bloomberg that it has a policy of not commenting on matters relating to personnel or the ongoing criminal investigation into the hack.

The claim by former employees comes after the Dutch Institute for Vulnerability Disclosure disclosed July 7 that it had informed Kaseya of a number of vulnerabilities in early April. DIVD was subsequently told by Kaseya that the vulnerabilities had been patched, but one of the vulnerabilities it had disclosed was exploited by REvil three months later.

As noted at the time, if Kaseya failed to act, whether intentionally or by accident, it does raise the issue that the company could potentially face legal liability issues, potentially given the theft of data involved in the attack.

Since former employees are now saying that Kaseya may have intentionally ignored known security vulnerabilities and practiced poor cybersecurity across the board, that increases the chance that Kaseya may find itself facing legal action, both by users of Kaseya VSA and by regulators.

REvil is a so-called double-tap ransomware gang that not only encrypts data but also steals data, threatening to release the data if a ransom is not paid. That data is involved immediately means the attack falls under the likes of the European Union General Data Protection Regulation and the California Consumer Privacy Act.

If Kaseya is found to have breached the EU GDPR, the fine could be substantial. Hotel chain Marriott International Inc. was fined the equivalent of $123.6 million in July 2019 for a data breach in November 2018 that exposed the records of some 500 million customers.

How many of their customers had data accessed is the question in relation to a potential fine. Although the exact size of how many downstream Kaseya VSA customers have been affected is not clear, estimates are up to 1,500.

Image: Kaseya