This article is more than 1 year old
Kaseya delays SaaS restore to Sunday, CEO says ‘this sucks’ but decision was his alone
Promises “exponentially more secure” product and cash assistance for customers
Beleaguered IT management software vendor Kaseya has delayed the restoration of its SaaS services until Sunday, July 11.
An update to the company’s incident guidance report includes a video message from CEO Fred Voccola, who took personal responsibility for the delay.
“It is my decision to do this to pull the release from yesterday,” he said. “We had all the vulnerabilities managed and felt comfortable with the release, but third-party engineers made suggestions to add extra layers of protection to guard against things we could not foresee.”
Adding those extra protections led to the delays.
“This was the hardest decision of my career,” Voccola said, but assured customers the result will be a product that is “hardened as much as we feel we can do”. Later in the video he said Kaseya’s VSA product will be “exponentially more secure” due to the changes.
The scheduled time for restoration of SaaS services is 4PM Eastern Daylight Time, July 11th.
“We feel extremely confident … we will have customers coming back online,” Voccola said.
- Bogus Kaseya VSA patches circulate, booby-trapped with remote-access tool
- Report shines light on REvil's depressingly simple tactics: Phishing, credential-stuffing RDP servers... the usual
- Kaseya says it's seen no sign of supply chain attack, sets SaaS restoration target of Tuesday afternoon, on-prem fix to follow
The CEO also sketched a program of cash assistance for Kaseya customers that he said will resemble payments made in March and April 2020. Payments for licences will be deferred.
“Throwing money at problems is not a way to solve them,” Voccola said, but “it is better than not throwing money at them. We are doing what we can do.”
Voccola shot this video in his home, and it was a rather more rustic version than his previous effort – complete with sound glitches and dubious focus.
The CEO was also a little more contrite, admitting “I feel like I let this community down, I let my company down, our company let you down.”
“I am not reading off a script,” he said at one point. “This is not BS – this is the reality.”
But he argued that every software company has flaws, and that the criminals behind the attack bear all responsibility for the incident.
“We love our customers,” he said. “It pisses me off when we do something to hurt them. Especially when it is something like when we have fallen victim to criminal acts, and it has impacted everybody.”
CTO Dan Timpson also appeared in a video, stating that because of the incident Kaseya “is adding a lot more rigour to our processes, to our deployment, to our code base, to keep everyone safe an improve the overall safety of our products.
“We are committed to, and are, working fiercely on our security posture across the board.”
For now, Kaseya has published runbooks for SaaS and on-prem customers. Timpson said both have been peer-reviewed.
Good luck, Kaseya customers. Feel free to let us know how things go on Sunday. ®