In the Wake of a Ransomware Attack, Colonial Pipeline Now Faces Lawsuits

Colonial Pipeline faces lawsuits after a ransomware attack disrupted fuel supplies, sparking legal battles over cybersecurity failures, economic losses, and infrastructure risks.

ByDani Alexis Ryskamp, J.D.

Updated on

colonial pipeline

In May 2021, a ransomware attack shut down 5,500 miles of pipeline for nearly a week. Now, Colonial Pipeline Co. has become the defendant in at least two potential class action lawsuits.

The Claims Against Colonial Pipeline

On June 21, 2021, an individual filed a complaint in the U.S. District Court for the Northern District of Georgia. The plaintiff, EZ Mart 1 LLC, alleges Colonial Pipeline failed to secure its pipeline against cyber attacks. As a result, the complaint claims, hackers were able to execute a ransomware attack against the 5,500-mile pipeline. The complaint alleged hackers held certain data on the pipeline’s system hostage until Colonial Pipeline agreed to pay over $4 million in ransom.

“Even with the decryption tool, it took approximately five days for the defendant to restart the pipeline,” the complaint alleges. During those five days, “more than 11,000 gas stations suffered fuel shortages, driving up the price of gasoline and decreasing convenience store sales,” the plaintiff said.

EZ Mart 1 LLC files the complaint on behalf of itself and 11,000+ gas stations it says suffered adverse consequences secondary to the ransomware attack. EZ Mart 1 LLC is a Wilmington, North Carolina gas station that bought fuel from a distributor supplied by Colonial Pipeline.

The complaint seeks monetary damages for individuals and businesses that suffered losses or damages stemming from the attack.

Plaintiff Ramon Dickerson also filed a similar lawsuit in the Northern District of Georgia on May 18, 2021. While this lawsuit names several defendants, including Colonial Pipeline, it also seeks damages for losses stemming from the ransomware attack. The May 18 lawsuit also seeks class action status for the plaintiffs allegedly injured by the attack and its consequences.

Gas Shortages and Other Consequences of the Attack

The affected pipeline was “the largest pipeline system for refined oil products in the US…consisting of two tubes…5,500 miles (8,850 km) long…and [capable of carrying] 3 million barrels [more than 100 million gallons] of fuel per day between Texas and New York,” according to the June 21 complaint.

Using compromised credentials, attackers were able to gain control of the network by accessing a legacy VPN application. Due to a possible oversight by the company’s IT staff, the company’s network still had the legacy application. Lack of multifactor authentication in the VPN may have made it easier for attackers to gain access to Colonial Pipeline’s computer network.

Once inside, attackers were able to encrypt certain key data belonging to Colonial Pipeline. They then demanded the company pay a ransom to receive the necessary decryption key to unlock the data and restore pipeline functions. Colonial Pipeline eventually agreed to pay $4.4 million in ransom. The FBI and US Justice Department later recovered $2.3 million by tracking portions of the payments made in cryptocurrency.

The attack closed many Colonial Pipeline operations, both on the day of the attack itself and for several days afterward. Facing a gasoline shortage, the southeastern US saw spiking prices and other consequences that caused several gas station businesses to close.

The June 21 lawsuit claims Colonial Pipeline knew of the risks of ransomware and other cyber attacks against key infrastructure. The infrastructure included oil and gas pipelines. Despite knowing its pipeline faced risks, however, Colonial Pipeline failed to “invest…adequately in cybersecurity,” the complaint alleges.

What to Expect as the Case Proceeds

The Colonial Pipeline case has already led to calls for investigations. Furthermore, the case also called for tighter regulations concerning the security of key elements of the nation’s infrastructure. During a June 16 summit in Geneva, President Joe Biden and Russian President Vladimir Putin discussed the dangers of ransomware incidents.

Key issues include whether the ransomware attack could have been prevented or its effects mitigated. Experts on cybersecurity who specialize in ransomware attacks may be asked to opine in the case. Plus, attorneys may also ask experts who can opine on accessing networks through compromised sources like VPNs, and how IT teams might spot and close such loopholes may be asked to opine in the case. Their contributions will likely play a role in the settlement of claims against Colonial Pipeline. Expert contributions will also likely impact how similar issues are handled in the future.

About the author

Dani Alexis Ryskamp, J.D.

Dani Alexis Ryskamp, J.D.

Dani Alexis Ryskamp, J.D., is a multifaceted legal professional with extensive experience in insurance defense, personal injury, and medical malpractice law. Her diverse background includes valuable internships in criminal defense, which have enriched her understanding of various legal sectors. She served as the Executive Note Editor of the Michigan Telecommunications and Technology Law Review, demonstrating a strong commitment to legal scholarship. Dani graduated with a J.D. from the University of Michigan Law School in 2007, following a summa cum laude B.A. in English from Ferris State University in 2004. She is an active member of the Michigan State Bar and the American Bar Association, reflecting her dedication to the legal profession.

Currently, Dani has channeled her legal expertise into a successful career as a freelance writer and book critic, primarily focusing on the legal and literary markets. Her writing portfolio encompasses a wide range of topics, including landmark settlements in medical negligence cases, jury awards in personal injury lawsuits, and analyses of legal trial tactics. Her work not only showcases her legal acumen but also her exceptional ability to communicate complex legal issues effectively to a broader audience. Dani's unique blend of legal practice experience and her prowess in legal writing positions her at the intersection of law and literature, allowing her to contribute meaningfully to both fields.

Dani earned her Bachelor of Arts in English from Ferris State University, where she was involved in various activities, including serving as a tutor at the Writing Center, editor in chief of the Muskegon River Review, president of the Dead Poets' Society, secretary of the Public Administration Association, and a member of the varsity synchronized skating team. She obtained her Doctor of Law from the University of Michigan Law School, participating in the Michigan Telecommunications and Technology Law Review, Wolverine Street Law Moot Court, and the Mock Trial Team. Additionally, Dani holds a Master of Arts in English Language and Literature/Letters from Western Michigan University, where she was a graduate assistant for the Hilltop Review.

PREVIOUS ARTICLE

JUUL Settles With North Carolina for $40 Million Over Underage Vaping

NEXT ARTICLE

TransUnion v. Ramirez: No Harm, No Foul

background image

Subscribe to our newsletter

Join our newsletter to stay up to date on legal news, insights and product updates from Expert Institute.

Sign up now