Kaseya staff were fired for reporting security flaws exploited in ransomware attack

Miami, Florida - Kaseya employees who flagged big security flaws in the company's system were actively silenced in the years leading up to the July 2 ransomware attack that took down businesses all over the world.

People were fired and jobs were outsourced when employee complaints about security at Kaseya grew too loud (stock image).
People were fired and jobs were outsourced when employee complaints about security at Kaseya grew too loud (stock image).  © Collage: 123RF/lightwise & 123RF/onsnoei

While the FBI conducts a criminal investigation into the perpetrators of the Kaseya ransomware attack, security professionals are turning their gaze towards Kaseya itself.

Bloomberg spoke with several former employees who said they had drawn attention to glaring issues between 2017 and 2020.

The software engineers and developers cited that aside from "outdated code", the company didn't follow the bare minimum in security protocols that any company should, let alone one producing software. From weak passwords to shoddy encryption, nothing was done to fortify the company's defenses.

The emphasis, the employees said, was on sales, not security patches, and one staff member was fired after drafting a 40-page memo of security concerns.

Customers would have been shocked to know their passwords were basically stored out in the open on third-party platforms with no encryption. The "VSA" software that REvil used to gain access to all those customers was old and had been recommended for replacement many times – to no avail.

Outsourcing dozens of jobs to Belarus might have been the company's way of dealing with annoying whistleblowers. The move was concerning to the interviewed employees, given Belarus's relations with Russia.

Earlier this year, Dutch and Swedish security researchers took just hours to point out flaws in Kaseya's systems. This exposure seemed to finally jolt the company into making some efforts to fix things, but not enough, apparently.

Employees also revealed that Kaseya's VSA software has been hacked by REvil before, but Kaseya did nothing. It's not clear if this history will be addressed by the FBI.

Cover photo: Collage: 123RF/lightwise & 123RF/onsnoei

More on Tech: