We are still in the midst of the aftermath from the Colonial Pipeline ransomware incident.
Organizations and individuals are teaming up to fight back against the oil giant through multiple class-action lawsuits.
Many gas stations and individuals on the east coast of the U.S. were directly affected when Colonial made the decision to shut down its pipelines. Business lost out on potential sales, and people were forced to pay higher gas prices.
Colonial shutdown affected local gas stations
In one of the lawsuits, North Carolina gas station EZ Mart brings a Class Action Complaint against Colonial Pipeline, alleging the company's failure to properly secure its pipeline, which negatively affected the business and 11,000 other gas stations.
After learning of the ransomware attack on May 7th, Colonial shut down its pipeline operations, fearing it would not be able to properly bill its customers.
It was not until May 10th when EZ Mart owners Abeer Darwich and her husband Ahmad Darwich began hearing the incident would affect petroleum supplies in the southeast of the U.S.
By May 12th, EZ Mart had sold the last of its fuel supply and the inside sales at its convenience store took a nosedive. It wasn't until May 21st that its pumps were at full capacity again.
Here is how the business was affected, according to court documents:
"In addition to the loss of gasoline sales, Plaintiff EZ Mart saw inside sales drop precipitously. Due to the Pipeline Ransomware attack and attendant fuel shortage, Plaintiff EZ Mart's sales for May ($76,185) fell by $7,789 compared to sales from April ($83,974), even though the EZ Mart is located on a busy thoroughfare outside a popular coastal city and May is the beginning of tourist season."
Court documents also claim gross negligence at the well-resourced company (who paid $670 million in dividends in 2018) as it allegedly failed to ensure the security of its systems:
"For networks with national security implications, and which provide essential infrastructure, such as the Defendant's Pipeline as Defendant itself admits in public pronouncements, it is grossly negligent to require nothing more by way of authentication than a simple login and password, including that of an old worker on an outdated and superseded system, to access to inner workings of the company's system and to allow a data breach including on information and belief unfettered access by the hackers to the sensitive and private data of Pipeline distributors, customers and users."
Court documents list a number of ways Colonial Pipeline allegedly failed at cybersecurity. This is only a partial list:
- "Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered."
- "Educate top management on ransomware and similar cybersecurity threats, and designate an executive management position to handle cybersecurity issues."
- "Ensure that old VPN remote access systems are taken down when new ones are instituted."
- "Ensure that employee logins and passwords that are no longer being used are turned off and disabled."
- "Allow government agencies charged with the mission of assisting private industry to ensure their adequate cybersecurity are given recognition and cooperation, rather than rejecting their efforts to assist."
- "Ensure that when it comes to a private company that holds an effective monopoly and a bottleneck over critical infrastructure with national security implications, that company does not use VPN remote access with lax security measures."
- "Require two-factor or multi-factor authentication for any and all remote access to the company’s computer systems."
- "Ensure regular, thorough cybersecurity audits."
- "Engage outside cybersecurity consultants and firms to ensure industry standards are met for cybersecurity for the company."
- "Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing."
For the rest of the list, read the EZ court documents.
Colonial ransomware incident affects individuals
While thousands of gas stations were left without anything to pump, customers were forced to pay for gas at a much higher price than normal.
Which brings us to our second class-action lawsuit, North Carolina resident Ramon Dickerson vs. Colonial Pipeline.
The case introduction alleges the following:
"As a result of the Defendant's failure to properly secure the Colonial
Pipeline’s critical infrastructure—leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021—there have been catastrophic effects for consumers and other end-users of gasoline up and down the east coast.
The Defendant's unlawfully deficient data security has injured millions of consumers in the form of higher gas prices, and gasoline shortages that exist/existed, due to Colonial's decision to effectively turn off the Pipeline. As a result, Plaintiff brings this action in order to redress the injuries caused to them and the members of the proposed Class due to the Defendant's conduct."
The class-action lawsuit aims to represent anyone who purchased gas after May 7, 2021, who paid higher prices due to Colonial's conduct.
Court documents from this case make similar allegations as the EZ Mart case, stating numerous ways Colonial allegedly failed in securing its infrastructure.
You can read the Dickerson v. Colonial court documents for more information.
