Colonial Pipeline Sued by Customers Affected by Its Ransomware Incident

The owner of the EZ Mart gas station is suing Colonial Pipeline, accusing it of lax security, reports the Washington Post: He and his lawyers are hoping to also represent the hundreds of other small gas stations that were hurt by the hack. It's just one of several class-action lawsuits that are popping up in the wake of high-profile ransomware attacks. Another lawsuit filed against Colonial in Georgia in May seeks to get damages for regular consumers who had to pay higher gas prices. A third is in the works, with law firm Chimicles Schwartz Kriner & Donaldson-Smith LLP seeking to mount a similar effort.

Colonial isn't the only company that's been targeted. Another suit was launched in June against the San Diego based hospital system Scripps Health after it was hit by a ransomware attack...

In the case of Colonial Pipeline, hundreds of gas stations were shut down, leading to huge lines of cars waiting for what little fuel remained. The rise in suits may mean companies and organizations that are hacked are no longer just on the hook for reimbursing people who had their data stolen. They could now be liable for all kinds of damages that go well beyond a heightened risk of identity theft or credit card fraud...

The potential for lawsuits will keep growing as ransomware attacks do. And if lawyers can reasonably show that a company made some kind of mistake in protecting its system, victims will have an avenue to sue.

No invoice, no delivery.

[bidule]

I've heard the story that they could still deliver gas, but because their invoicing system was down they couldn't bill their customers.

If that is true, they deserve those lawsuits.

Re:

[Superdad]

> ... because their invoicing system was down they couldn't bill their customers

But why should they give their 'product(s)' away ?
Or was it they couldn't balance cash in to cash out (to buy the oil in the pipe(s) ?

SD

Re:

[geekmux]

> ... because their invoicing system was down they couldn't bill their customers

But why should they give their 'product(s)' away ? Or was it they couldn't balance cash in to cash out (to buy the oil in the pipe(s) ?

SD

Unless every single gauge and meter is 100% electronic, I find it hard to believe that they had no way of determining just how much product was pumped during a specific timeframe. In fact, from what it sounds like, the billing system was the primary system affected, not the delivery system. They could have probably still pumped gas, and reconciled later. THAT, was likely determined to be too much work, and given the fact that they're a critical-need producing entity, they don't give a shit about any cons

Re:

[Known Nutter]

Unless every single gauge and meter is 100% electronic,

Yes, they're called flow meters. Here are some examples:

https://www.instrumart.com/cat... [instrumart.com]

Re:

[inode_buddha]

And guess what, flow meters aren't always electronic. My previous employer ran both kinds alongside each other.

Re:

[hey!]

Understand, you're responding to something someone on the Internet "heard", which as far as I can see does not agree with what reliable sources. Those sources so far are reporting that the ransomware affected SCADA systems that manage the pipeline.

In the *hypothetical* situation where the company's deliveries were halted because it was unable to bill, it depends on what their delivery contracts say; they don't *own* the gasoline, they simply pipe it from the refinery to distribution points. If the contract

Re:

[bidule]

I was hoping someone would pipe in with actual facts to confirm/deny that rumor. You are the closest to that.

Do you have a source for your statments?

Re:

[jmccue]

Yes 100% true, and to make things more fun, prices spiked so when turned on, they got a windfall due to the higher prices

(aimed at someone else) And how to Bill, simple, ever heard of Gas Meters ? Every house receiving Gas has one, just send someone out to read your meter. That is how things were before everything was driven by CEO Bonuses and firing people.

So yes, Colonial should be forced to refund every customer 12 months of payments to allow for damage and higher prices paid by their Customers.

Re:

[whoever57]

And how to Bill, simple, ever heard of Gas Meters ? Every house receiving Gas has one, just send someone out to read your meter.

Probably a very good example: my gas meter uploads its data automatically, so normally no manual reading. But: the meter can still be read manually.

Re:

[thegarbz]

If that is true, they deserve those lawsuits.

And if it's not true they don't? I don't think there's any legal basis for that distinction. If they are claiming incompetence then it doesn't matter what the incompetence was, if they were claiming breach of contract then I highly doubt the contract spells out the specific reasons why delivery can be suspended, and if they focus on force majeure then I guess they will focus on the fact that they failed to secure their systems and thus were in control of their fate as evidence that it wasn't force majeure.

I

Re:

[bidule]

And if it's not true they don't?

Is there really someone on /. that doesn't understand how an IF construct works?

Turn in your nerd card. :p

Re:

[thegarbz]

Not at all. I was asking you if you actually believe that statement to be all encompassing. If you're going to appeal to logic, then at least list out the complete logic tree.

Your turn to hand in your nerd card.

Re:

[bidule]

How about you? You're asking but not answering.

Now go play in the park, I'm sure there's an abandonned chew toy for you.

Re:

[thegarbz]

Sorry I understand now. It's not logic you don't understand, but rather basic English comprehension. Or maybe you have to short of an attention span to read to the end of my post which included not only "answering" but also justification.

Now go play in the park, I'm sure there's an abandonned chew toy for you.

I do give you bonus points though. If your goal is to look like a worthless thundercunt who does nothing than name call and provide absolutely zero value to any post then you are very good at it.

Goodbye.

Re:

[bidule]

What's wrong with you man?

Do you think it's your God-given right to launch Inquisitions and people have to give answers to your petulant demands?

Go outside, breathe some fresh air. Regain your sanity. I feel sorry for you.

Re:

[inode_buddha]

It makes me wonder whatever happened to mechanical meters, and a guy standing there with pencil, paper, and clipboard?
And at the end of the day it all goes into "Accounts Receivable" which will be settled whenever the system is back up and running again.

The other side of de regulation

[140Mandak262Jamuna]

We systematically removed all regulations, and gave full free hand to these companies. Now the only mechanism we have left to make the behave is law suits. When one party believes government is evil, government does not work, and sabotage the government indiscriminately, there no other recourse left for people.

I hate ambulance chasers and personal injury law suits, but we need something to make the companies take security seriously.

Re:

[gtall]

Mo' bad news, the party that doesn't believe in government just spent the last 4 years stacking the courts with like-minded imbeciles. So those companies with the rights of individuals might get nailed some of the lower courts but will get their relief when their cases hit the Supreme Court.

Hit the MBAs in the pocket books

[RitchCraft]

It's the only way you're going to get companies to fund their IT departments with serious money allowing the staff to take the required measures against malware.

Re:

[LenKagetsu]

Fines need to be a percentage of revenue along with a portion of that being in the form of shares handed to the government.

Security goes both ways

[geekmux]

"And if lawyers can reasonably show that a company made some kind of mistake in protecting its system, victims will have an avenue to sue."

While it may not be as applicable in this case, what exactly is the legal recourse when we find 300,000 lazy humans utterly failed to patch and maintain their shit properly, which enabled a massive DDoS attack against a corporation?

Security goes both ways. Often those who are quickest to point fingers, turn out to be obscene hypocrites when it comes to security.

Re:

[geekmux]

Sadly, this is when insurance should step in and start charging fuck-you rates for those companies who hold onto a give-a-shit attitude about security, and prioritize profits instead.

Perhaps once the executives realize their bonuses won't be coming back until they invest and secure properly, then maybe we'll see actual change.

Shit

[Malays2 bowman]

As I was reading the summary, I kept thinking "please don't let it be because the control system for the pipeline was affected". Thankfully, it wasn't.

In this day and age, control systems for natural gaslines pipelines should be kept fully air-gapped, running an OS that would be considered 30 years out of date in regards to current technology but be as robust as possible and only do what it's intended to do (this is part of the reason the Space Shuttle was still using 1980s level tech by the time the fleet

Re:

[jmccue]

No mod points, so a /s aimed at Colonial

Companies were able to deliver Gas to their customers for well over 120 years, and even get paid. Guess what, there was no internet back then.

How was this done, I maybe magic. No wait, the CEO actually had to hire people to check your meter at your house or business location. But instead they fired them, put everything on the internet in order to increase their bonuses.

How did people survive without the Internet 30 years ago ? Big mystery, and back then to disable

Re: Shit

[Malays2 bowman]

"How was this done, I maybe magic. No wait, the CEO actually had to hire people to check your meter at your house or business location. But instead they fired them, put everything on the internet in order to increase their bonuses."

Should we go back to manual valves, telephone linkups, and send a guy to the meter (who will get shot in some neighborhoods). Stuff like pipelines are on their own network that completely and 100% seperate from the net, and running a fault tolerant bare minimum system such as QNX

Re:

[omnichad]

This is a gasoline pipeline.

Re:

[Retired ICS]

"and anyone who says "Wouldn't it be great if we connect the system to the net" need to have their passwords revoked, security key cards invalidated, and escorted off of the premesis by security in an instant."

The unemployment office is overloaded with imbeciles. Instead these people are sent to "learn to code" classes where they can inflict there arsinine stupidity on the widest possible area. This is the nature of modern "IT Kiddies".

Re: Shit

[Malays2 bowman]

And those "IT-Kiddies" are the perfect useful idiots that companies love who are helping to bring about all of the lockdowns and restrictions to ensure that control is transfered from the device owner to the corporations. I can imagine the two minutes hate video that they are forced to watch that protray people who like to tinker with their own devices, or who simply don't want to be endlessly monitored and like to keep their private content private (off the cloud) as some dark force that need to be squashe

There has to be a "Better Way"

[ytene]

In 1988, Ronald Reagan said that cutting red tape was one of his proudest achievements [apnews.com].

Somehow, the United States has chosen to misinterpret this statement and use it like a rallying cry to strike down anything that gets in the way of corporate profits.

It wasn't that long ago that Donald Trump was trying his best to ride that same horse [forbes.com].

The problem is that one corporation's "red tape" is another corporation's "legal safety net", or a community's "environmental safeguards", or "health and safety protection". It doesn't take long to see a lot of mud being thrown in an attempt to muddy the waters and make it less obvious whether the "red" tape being attacked is something truly bad, or something that exists for protective purposes.

On the face of it, there's something deeply wrong with a nation if our response to the malicious actions of a group of foreign ransomware terrorists is to sue the victim. Unless that company has been blatantly negligent, such an act risks becoming ultimately self-harming in that one of two outcomes are likely to follow:-

1. The defendant survives the lawsuit [whether asked to pay out or not] and their strategic response is to increase prices and bind clients to one-sided contracts, mandatory arbitration clauses and other legal devices specifically designed to ensure that the company is never again placed in such a position. Ultimately that's counter-productive for future scenarios where customers have legitimate complaints.
2. The defendant doesn't survive the lawsuit and they are forced in to bankruptcy. Victims walk away with "pennies on the dollar" for their losses, the lawyers buy yachts, and the company that steps in after the fiasco charges more for a poorer service that is protected by significantly tighter legal protections: once again customers lose in the long term.

Specifically in the case of the Colonial Pipeline, however, what we have is something which, whilst privately owned and operated, could be reasonably interpreted to be "critical infrastructure" to the nation. So in this case, rather than "doing a Reagan" and wiping out more "red tape", it seems that a better approach might be to consider three things:-

1. Establishing a definition for "critical infrastructure" such that any commercial service can be assessed against the criteria and, with an extremely low probability of error or unspecified result, identify whether or not that service falls within the umbrella.
2. Developing a set of mandatory guidelines that must be applied by any corporation offering "critical infrastructure services".
3. Creating - maybe as an arm of the FTC - an Inspections service with the sole responsibility of auditing "Critical Infrastructure Providers" on a regular basis, to ensure that they meet their obligations.

It would also be trivial to pass a law to require any corporation falling within the dragnet of "critical infrastructure provision" to undertake such audits on a regular basis, to have comprehensive insurance in place and to have their contingency plans regularly tested.

Yes, all of this costs. But think of it this way: what if the next attack on critical infrastructure, the next "Colonial Pipeline" wasn't the work of a bunch of cybercriminals, but the work of a hostile nation state as a prelude to a larger move against US interests.

Look at recent world history. Ukraine. The South China Sea. It's not like we're not getting any warnings.

Do we really want to sit idly by and wait and see how things turn out?

Re:

[Tough Love]

Looking for a grossly negligent party? Sue Microsoft.

Re:

[ytene]

That's an interesting suggestion to make.

You rather imply that in your view there was an issue with Microsoft software.

Except, of course, we already know that the entry point was a compromised password [bloomberg.com] that gave the attackers access to a VPN service that allowed them access to the Colonial network.

And we also know that an outside audit of the Colonial network, conducted in 2018, found "glaring deficiencies and big problems [marketwatch.com]", according to Robert F. Smallwood, whose consulting firm delivered an 89-pa

Re:

[Tough Love]

Unless you can provide details that show otherwise?

Colonial Pipeline ransomware attack linked to Microsoft Exchange vulnerabilities [windowscentral.com]

Re:

[ytene]

Vulnerabilities that were known in advance of the attack and for which patches were available that Colonial failed to install because they don’t have good patch hygiene.

Don’t get me wrong. I have an extremely low opinion of Microsoft but in this case the root cause lies with Colonial.

Re:

[Tough Love]

The root cause lies with Microsoft, exacerbated by idiots at Colonial, who among other things made the poor decision of entrusting their corporate DNA to Microsoft.

Re:

[ytene]

Just to underscore my point Following your link to Windows Central, the article there includes a quote from a Tweet to the effect that Colonial were in May still running code with a vulnerability that had been identified in March.

So thanks you’re making my point for me.

Re:

[Tough Love]

Just to underscore the fact that Windows is a vulnerability farm and everybody knows it.

Bound to Fail

[Retired ICS]

This is bound to fail.

Any consequence suffered by the complainant was caused by the direct actions of the defendant and had nothing whatsoever to do with the so-called RansomWare Attack or the respondents "security" or lack thereof. The "RansomWare Attack" was completely irrelevant to the decision of the respondent to breach the contract between the respondent and the complainant.

Err..

[Vegan Cyclist]

Shouldn't the US gov't be taking action against them for funding (aka paying out to) enemy state actors/terrorists?

How is it that funding enemy states money is illegal, but 'paying ransomware' legal? Would this fit under treason?

Asking for a friend.

Re:

[ytene]

Tell your friend to go read 18 USC Section 2.

Iron clad rule

[ceg97]

For every mishap there will be lawyers gorging.