In May 2021, a ransomware attack shut down 5,500 miles of pipeline for nearly a week. Now, Colonial Pipeline Co. has become the defendant in at least two potential class action lawsuits.
The Claims Against Colonial Pipeline
On June 21, 2021, an individual filed a complaint in the U.S. District Court for the Northern District of Georgia. The plaintiff, EZ Mart 1 LLC, alleges Colonial Pipeline failed to secure its pipeline against cyber attacks. As a result, the complaint claims, hackers were able to execute a ransomware attack against the 5,500-mile pipeline. The complaint alleged hackers held certain data on the pipeline’s system hostage until Colonial Pipeline agreed to pay over $4 million in ransom.
“Even with the decryption tool, it took approximately five days for the defendant to restart the pipeline,” the complaint alleges. During those five days, “more than 11,000 gas stations suffered fuel shortages, driving up the price of gasoline and decreasing convenience store sales,” the plaintiff said.
EZ Mart 1 LLC files the complaint on behalf of itself and 11,000+ gas stations it says suffered adverse consequences secondary to the ransomware attack. EZ Mart 1 LLC is a Wilmington, North Carolina gas station that bought fuel from a distributor supplied by Colonial Pipeline.
The complaint seeks monetary damages for individuals and businesses that suffered losses or damages stemming from the attack.
Plaintiff Ramon Dickerson also filed a similar lawsuit in the Northern District of Georgia on May 18, 2021. While this lawsuit names several defendants, including Colonial Pipeline, it also seeks damages for losses stemming from the ransomware attack. The May 18 lawsuit also seeks class action status for the plaintiffs allegedly injured by the attack and its consequences.
Gas Shortages and Other Consequences of the Attack
The affected pipeline was “the largest pipeline system for refined oil products in the US…consisting of two tubes…5,500 miles (8,850 km) long…and [capable of carrying] 3 million barrels [more than 100 million gallons] of fuel per day between Texas and New York,” according to the June 21 complaint.
Using compromised credentials, attackers were able to gain control of the network by accessing a legacy VPN application. Due to a possible oversight by the company’s IT staff, the company’s network still had the legacy application. Lack of multifactor authentication in the VPN may have made it easier for attackers to gain access to Colonial Pipeline’s computer network.
Once inside, attackers were able to encrypt certain key data belonging to Colonial Pipeline. They then demanded the company pay a ransom to receive the necessary decryption key to unlock the data and restore pipeline functions. Colonial Pipeline eventually agreed to pay $4.4 million in ransom. The FBI and US Justice Department later recovered $2.3 million by tracking portions of the payments made in cryptocurrency.
The attack closed many Colonial Pipeline operations, both on the day of the attack itself and for several days afterward. Facing a gasoline shortage, the southeastern US saw spiking prices and other consequences that caused several gas station businesses to close.
The June 21 lawsuit claims Colonial Pipeline knew of the risks of ransomware and other cyber attacks against key infrastructure. The infrastructure included oil and gas pipelines. Despite knowing its pipeline faced risks, however, Colonial Pipeline failed to “invest…adequately in cybersecurity,” the complaint alleges.
What to Expect as the Case Proceeds
The Colonial Pipeline case has already led to calls for investigations. Furthermore, the case also called for tighter regulations concerning the security of key elements of the nation’s infrastructure. During a June 16 summit in Geneva, President Joe Biden and Russian President Vladimir Putin discussed the dangers of ransomware incidents.
Key issues include whether the ransomware attack could have been prevented or its effects mitigated. Experts on cybersecurity who specialize in ransomware attacks may be asked to opine in the case. Plus, attorneys may also ask experts who can opine on accessing networks through compromised sources like VPNs, and how IT teams might spot and close such loopholes may be asked to opine in the case. Their contributions will likely play a role in the settlement of claims against Colonial Pipeline. Expert contributions will also likely impact how similar issues are handled in the future.