Lawsuits Allege Colonial Pipeline Had Inadequate CybersecurityGas Stations as Well as Consumers Seek Damages
Colonial Pipeline Co. now faces at least two lawsuits seeking class action status in the aftermath of a ransomware attack in May that led the firm to shut down the operations of a 5,500-mile pipeline for nearly a week.
The latest lawsuit, filed Monday, claims the company lacked a cybersecurity program encompassing ransomware issues at the time of the attack, which led it to shut down pipeline operations serving much of the East Coast. It claims the company ignored warnings about cyber risks to interstate pipeline systems.
The lawsuit was filed on behalf of the owners of EZ Mart 1 LLC, a gas station in Wilmington, North Carolina, which buys its fuel from a distributor that's supplied by Colonial Pipeline. The law firm Morgan and Morgan, which has offices in Atlanta, is seeking class action status for its lawsuit so it can represent more than 11,000 other gas station owners and retailers that were affected by the May 7 ransomware attack against Colonial Pipeline.
The complaint is asking for unspecified monetary damages for those individuals or businesses that sustained losses or damages as a result of the ransomware attack, alleging the incident caused more than $5 million worth of damages.
A Colonial Pipeline spokesperson declined to comment on the the lawsuit.
"We are aware of the lawsuit and while we cannot comment on pending litigation, Colonial Pipeline worked around the clock to safely restart our pipeline system following the cyberattack against our company," the spokesperson says.
Another lawsuit filed May 18, which also seeks class action status, claims that consumers were harmed by increased fuel prices as a result of the pipeline shutdown, Bloomberg Law reports. That lawsuit, which seeks damages, also alleges the company was negligent because it failed to implement appropriate security standards.
If the lawsuits eventually achieve class action status, the plaintiffs' attorneys would then need to prove that Colonial Pipeline acted negligently and show that the company "owed a duty" to those who claim they were affected, says Richard Santalesa, a technology and data privacy attorney at The SmartEdgeLaw Group who is not involved in either case.
"If there's no clear duty owed to the plaintiffs as to cybersecurity versus operating their pipeline versus fulfilling whatever contract for the purchase of oil and gas they had with Colonial, they wouldn't meet the 'commonality' requirement," Santalesa says. "In that case, nothing else would be considered negligence or gross negligence … and their claim will fail entirely regardless of whether the cybersecurity was adequate or not."
The attack against Colonial Pipeline started when attackers entered the company's network through a legacy VPN application that the IT team had been unaware was still attached to the network. The attackers used compromised credentials to access the VPN, which lacked multifactor authentication, according to congressional testimony about the incident (see: House Probes Specifics of Colonial Ransomware Attack).
The ransomware attack on May 7 led the company to close most pipeline operations for nearly a week, which caused spikes in gas prices across the southeastern U.S. and forced many gas stations to close during that time. The FBI later identified the attackers as the DarkSide cybercrime operation, which appears to operate from Russia. DarkSide claimed on May 13 that it had shuttered its ransomware-as-a-service operation (see: DarkSide Ransomware Gang Says It Has Shut Down).
Colonial Pipeline CEO James Blount later revealed that the company paid the attackers a $4.4 million ransom to receive a decryptor key. The FBI and the U.S. Department of Justice later recovered $2.3 million of the payment by tracking part of the payment to a bitcoin wallet that agents were able to access (see: How Did FBI Recover Colonial Pipeline's DarkSide Bitcoins?).
While Blount has apologized for the inconvenience the incident caused, the CEO has also defended his company's response and the firm's cybersecurity practices.
The lawsuit filed Monday, however, claims Colonial Pipeline ignored warnings from regulators and the rest of the industry about the cyber risks to interstate pipeline systems.
"For years, it had been known and publicized that critical infrastructure, such as pipelines, were especially vulnerable to the assaults of both conventional and cyber criminals, and that therefore investing adequately in cybersecurity was essential for those who desired to be in the pipeline business," the latest lawsuit states.
Calls for Regulations
The attack against Colonial Pipeline, as well as several other recent ransomware attacks, have spurred several congressional investigations (see: House Oversight Committee Probing JBS Ransomware Payment).
Meanwhile, the Transportation Security Administration, a unit of the Department of Homeland Security responsible for the security of the nation's interstate pipelines, is preparing mandatory cybersecurity requirements for the oil and gas industry, including the mandatory reporting of cyber incidents to the government (see: DHS Preparing More Cybersecurity Requirements for Pipelines).
The attack against Colonial Pipeline, and other ransomware incidents, were a significant topic of discussion between President Joe Biden and Russian President Vladimir Putin during a summit in Geneva on June 16.