‘And then next thing you know, we ran out completely’: the Colonial Pipeline debacle and what it means in the age of ransomware

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

Joe Biden and Vladimir Putin were sitting across from each other in a gigantic room, on a lush and palatial carpet, dwarfed by bookshelves colored gold from age, backed by their respective country’s flags, discussing one of the most important issues of our time: ransomware. 

“How would you feel,” Biden asked the Russian president, “if ransomware took on the pipelines from your oil fields?” 

“It would matter,” Putin acknowledged.

The two world leaders were meeting in Geneva on June 16 for their first joint summit of Biden’s presidency. Biden was specifically referencing the Colonial Pipeline ransomware attack that began May 7 of this year, the biggest of its kind ever in the United States. It led to a complete shutdown of fuel, for six harrowing days, to nearly half of the East Coast.

Ransomware is digital extortion: it involves hacking a system, then blocking access to that system, or threatening to publish sensitive information, until a “ransom” is paid in cryptocurrency. In the Colonial Pipeline attack, a Russian cybercriminal group known as DarkSide gained access to the computer systems controlling all 5,500 miles of the largest pipeline system for refined oil products in America.

In addition to stealing an enormous cache of data, they shut down the company’s billing system and demanded nearly 5 million dollars in Bitcoin. While Colonial’s CEO, Joseph Blount, made the payment within hours, the debilitating sprawl of the attack — DarkSide hackers spent a week undetected within the system, and even their “fix” left the servers excruciatingly slow — meant that Colonial couldn’t safely restore pipeline operations until May 12, five days after the ransomware attack began.

Putin and Biden didn’t arrive at many other points of agreement during their joint summit, besides the obvious one that ransomware has disastrous consequences on countries — and consumers. After the Colonial Pipeline was shut down, panic buying led to long lines at gas stations observed only before hurricanes. 

Nationwide, gas prices crested at an average of $3.04 a gallon, the highest in six years at the time, rising even more in Southern states. The fuel scare resulting from the ransomware attack got so bad, the U.S. Consumer Product Safety Commission issued a statement urging people to “not fill plastic bags with gasoline.” 

Both Biden and Georgia Governor Brian Kemp declared a state of emergency.

And then the pumps started to go dry. 

Mike Addel, owner of a Shell gas station in Wilmington, North Carolina, said he had to stop selling gas completely during the ordeal.

“I had to put yellow bags on my pumps,” he said. “I lost out on a lot of sales. I had heard rumors through one of my guys that dealt with our gas: ‘There was a hack, something big got hacked.’ That’s all I really knew. And then next thing you know, we ran out completely.” 

Though clearly still frustrated by the incident, Addel said he was optimistic about his ability to rebound. 

“Eventually, you can get the customers back, but you can never get those sales back.”

Addel was able to resume operations in just a few days, but on May 18 — 6 days after pipeline operations were supposedly restored — over 10,600 stations across the country still reported having no fuel to sell. 

These gas stations and their customers are the plaintiffs, respectively, for the two class-action lawsuits currently filed against Colonial. 

The first lawsuit, Dickerson v. CDCP Colonial Partners, L.P., which was filed by Evangelista Worley LLC and Milberg Coleman Bryson Phillips PLLC, represents the millions of consumers who were forced to pay higher gas prices for weeks due to the supply and demand shortage. 

The lawsuit alleges that Colonial and its owners “failed to properly secure the Colonial Pipeline’s critical infrastructure–leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021,” and states that this negligence directly translated into harm for the consumer. A second lawsuit of this kind is currently being investigated by Chimicles Schwartz Kriner & Donaldson-Smith.

The other class-action lawsuit, filed in June, EZ Mart 1, LLC v. Colonial Pipeline Company represents over 11,000 gas stations like the Shell in Wilmington, NC, who lost business as a result of the ransomware attack. Like the first class action lawsuit, it firmly blames Colonial for its negligence in cyberspace, arguing that because the “pipeline is essential infrastructure and a vital artery for the distribution of fuel to most of the eastern United states,” Colonial failed in its duty to protect the pipeline.

While the lawsuits move through the court system, all eyes are on its outcome — given its relevance for similar, future cases.

“It’s rare in litigation over cyberattacks like these that the damages are so palpable,” Vineet Dubey, a Los Angeles-based consumer protection attorney, told TopClassActions.com. “While it’s sometimes hard to place what harm has been caused by a stolen password, it’s much easier to identify the damage done to someone that relies on the pipeline for their livelihood, whether as a worker or consumer.” 

“If these class actions proceed, they could set new standards that would prove useful to plaintiffs in future cyber attack related litigation — particularly if the courts agree that Colonial had a federal obligation to keep its pipeline operational. Companies would be seeing this case cited a lot in litigation going forward, as it’d establish that private companies owe its customers an obligation they’re arguably not owed currently,” Dubey said.

Like it or not, we live in the age of ransomware — the United States faced over 65,000 ransomware attacks last year, averaging seven attacks per hour. They will continue, and the culpability that companies face over them will continue to be a matter of heavy debate. Colonial has moved to dismiss Dickerson v. CDCP Colonial Partners, L.P., arguing, among other points, that pipeline regulation falls to the Federal Energy Regulatory Commission, not the court systems; that the economic loss doctrine — which prevents a party from seeking greater recovery in tort than would otherwise be available — precludes any claims of negligence; and that they don’t sell to, and thus have no relationship with, consumers.

They may have a point. The particularly ingenious way that Colonial was hacked makes the ransomware attacks feel more inevitable — a feature of our times — than a product of negligence. DarkSide gained access to Colonial’s system through a legacy VPN application — buried and forgotten software — which didn’t require two-factor authentication. They entered an employee’s username and password which had been lifted from a separate, unrelated website leak — and chances are, if you’re reading this, you’ve been part of one of those leaks yourself.

Still, one could argue that the predictability of such attacks makes proper cybersecurity all the more necessary.

“Carelessness is enough to file lawsuits against a company,” Johannes Larsson, a Swedish entrepreneur and cybersecurity consultant, said. “The massive damage caused by the negligence of the Colonial Pipeline was beyond comprehension. Its primary duty as a significant gasoline supplier was to provide the maximum level of security into its systems to prevent any form of malicious attacks.”

The story doesn’t end all bad. Using the Bitcoin public ledger and some wizardry of their own, the FBI has since recovered at least $2.3 million of the Bitcoin ransom. In May, Joe Biden suggested the US would “disrupt [DarkSide’s] ability to operate,” and soon after, DarkSide announced that its funds and servers had been seized and that it would be shutting down. While some believe this is just a ruse to continue their activities under a different name, one thing is clear — whether from DarkSide or elsewhere, whether dispensed in a class-action lawsuit or not, someone will always pay a price for ransomware.

Even if ultimately found not liable for the damage, “Colonial Pipeline’s credibility has gone down the drain,” Larsson said, “and left them with cases to face and a responsibility to shoulder.”

[getsocial app=”sharing_bar”]

---