Colonial Pipeline Facing Multiple Lawsuits After Ransomware Attack
Table of Contents
- By Dawna M. Roberts
- Published: Jul 09, 2021
- Last Updated: Mar 18, 2022
By now, most everyone knows that Colonial Pipeline suffered a massive ransomware attack and paid the hackers (DarkSide) a hefty ransom. Some of which was recovered by law enforcement. However, now the fuel provider faces multiple class-action lawsuits by consumers and gas stations, implying that Colonial Pipeline didn't have sufficient cybersecurity in place to prevent such an attack.
What Happened?
In May, Colonial Pipeline experienced a ransomware attack that led to them shutting down operations for a week. Colonial Pipeline services almost 50% of the fuel needs for the East Coast. They eventually paid the hackers $4.4 million. Soon after, the DarkSide gang shut down operations, and law enforcement seized its bitcoin accounts, recouping a large portion of the ransom.
The attack led Colonial Pipeline to shut down 5,500 miles of its pipeline to mitigate the situation. The result was fuel shortages and a spike in fuel prices, along with customer panic. FBI and law enforcement identified the DarkSide gang as the hackers behind the attack.
Colonial Pipeline paid attackers $4.4 million, and later the FBI recovered $2.3 million of that and returned it to the company. They were able to track the bitcoin payment and seize the coffers.
What Now?
On Monday, EZ Mart 1 LLC, a gas station in Wilmington, North Carolina, filed a lawsuit against Colonial Pipeline, claiming that they did not have an adequate cybersecurity plan in place to avoid this incident. The lawsuit also alleges that the company ignored warnings about ransomware and the dangers.
In Atlanta, Georgia, Morgan and Morgan law firm is attempting to convert the claim into a class-action lawsuit representing 11,000 customers and gas station retailers that were affected by the outage. The case mentions that affected customers lost $5 million during the week-long halt in operations.
According to Data Breach Today, "A Colonial Pipeline spokesperson declined to comment on the lawsuit."
"We are aware of the lawsuit, and while we cannot comment on pending litigation, Colonial Pipeline worked around the clock to safely restart our pipeline system following the cyberattack against our company," the spokesperson says."
Another lawsuit was also filed May 18 by a group of customers who claim the spike in prices hurt them. According to Bloomberg Law and Data Breach Today, the lawsuit states that "the company was negligent because it failed to implement appropriate security standards." The lawsuit claims that "For years, it had been known and publicized that critical infrastructure, such as pipelines, were especially vulnerable to the assaults of both conventional and cybercriminals, and that therefore investing adequately in cybersecurity was essential for those who desired to be in the pipeline business."
Legal Responsibility
Both lawsuits will need to prove beyond a reasonable doubt that Colonial Lawsuit acted negligently and failed to address the security concerns by not implementing proper security protocols. Another issue that legal representatives have to prove is that Colinail had a duty to customers and consumers to do so.
An independent law firm SmartEdgeLaw Group commented that "If there's no clear duty owed to the plaintiffs as to cybersecurity versus operating their pipeline versus fulfilling whatever contract for the purchase of oil and gas they had with Colonial, they wouldn't meet the 'commonality requirement."
The Nitty Gritty Details
The Colonial Pipeline investigation revealed that hackers got into the network through a legacy VPN that was no longer being used. Using stolen credentials, the bad actors were able to hack into the system because the old VPN system did not use two-factor or multi-factor authentication.
The Colonial Pipeline IT department was unaware that the legacy system was still active and connected to the network. This is a point that could be used to show negligence.
Time will tell whether or not the courts agree with these lawsuits and find that Colonial was complicit in the attack through their own negligence.
