Colonial Pipeline Co. was sued by a gas station seeking to represent thousands more over the ransomware attack in May that paralyzed the U.S. East Coast’s flow of gasoline, diesel and jet fuel.
EZ Mart 1 LLC, a two-pump station in Wilmington, North Carolina, buys its fuel from a distributor supplied by Colonial, according to a complaint filed Monday in federal court in Georgia. Colonial’s headquarters, in Alpharetta, is the site of the “control center” where the electronic ransom note was discovered, EZ Mart says in the lawsuit, in which it seeks to represent more than 11,000 gas stations and asks for unspecified monetary damages.
The hack occurred “despite advance knowledge and warnings,” and in the lead-up to the attack Colonial “repeatedly ignored and rejected efforts by the applicable regulatory agency to meet with it so as to check on its cybersecurity,” EZ Mart alleges.
A spokesperson for Colonial said the company doesn’t comment on pending litigation but “worked around the clock to safely restart our pipeline system following the cyberattack against our company.”
Hackers gained entry to Colonial’s networks on April 29 through a virtual private network account, or VPN, through which employees could remotely access the company’s computer network, a cybersecurity official who responded to the attack has said. The VPN account, which has since been deactivated, didn’t use multifactor authentication, a basic cybersecurity tool, so the hackers could breach the network using just a compromised username and password. It isn’t clear how they came up with the right credentials.
The hack affected 45 percent of the East Coast’s fuel supply, driving up gasoline prices and sparking shortages at filling stations after the company shut down the roughly 5,500-mile pipeline on May 7.
Colonial “had no plan in place for ransomware attacks and had left up a legacy VPN system without shutting off logins and passwords for old employees,” which its own experts called “a basic failure,” the gas station alleges.
While apologizing for the massive disruption, Colonial’s chief executive officer, Joseph Blount Jr., has defended the company’s response, including his decision to pay the hackers—an affiliate of a Russia-linked cybercrime group known as DarkSide—$4.4 million in ransom.
“I believe with all my heart it was the right choice to make,” Blount told U.S. lawmakers this month. In a hearing on Capitol Hill, they criticized Colonial’s cybersecurity practices, asking Blount why the company hadn’t hardened its systems before an attack occurred.
In addition to the Colonial hack, Russia-linked criminal gangs have recently been blamed for a ransomware attack against meat supplier JBS SA, which disrupted operations in the U.S., Canada and Australia.
President Joe Biden last week said after a summit in Geneva that he warned Russian President Vladimir Putin against further cyberattacks on U.S. infrastructure. In the lawsuit, EZ Mart claims it has been clear for years that the sector is “especially vulnerable” to both conventional and cyber criminals. The complaint details a history of such warnings and attacks.
The case is EZ Mart 1 LLC v. Colonial Pipeline Co., 21-cv-2522, U.S. District Court, Northern District of Georgia (Atlanta).
–With assistance from William Turton.