On Sunday, December 13, 2020, the United States acknowledged that hackers had broken into several federal government computer networks. Over the following weeks, the world learned that this sophisticated attack was almost certainly the work of Russian agents, who had managed to collect sensitive data, undetected, for months. As experts learned more, the extent of the breach became clear. This was not just a successful act of espionage. It was one of the largest malware intrusions in years1.

The attack was traced back to a software system, called Orion, an IT management program built and sold by the Texas-based cybersecurity company SolarWinds. Within a short time, SolarWinds became synonymous with data breaches. But SolarWinds isn’t the first company to face a damaging security breach, and the headlines don’t tell the full story.