Class Action Alleges Colonial Pipeline Company Failed to Secure Critical Infrastructure Prior to Devastating Ransomware Attack

New to ClassAction.org? Read our Newswire Disclaimer

Colonial Pipeline Company faces a proposed class action over the massive ransomware attack that earlier this month crippled the East Coast’s supply of gasoline.

The 37-page lawsuit places blame for the attack, which led to gas shortages and higher prices for consumers as the defendants took the country’s largest refined products pipeline offline for days, on Colonial Pipeline Company’s “unlawfully deficient data security” for the critical infrastructure that runs from Houston, Texas across the South East and into New Jersey before reaching New York Harbor. According to the complaint, the Colonial Pipeline transports approximately 2.5 million barrels daily of gasoline, diesel fuel, heating oil and jet fuel, stretching 5,500 miles, and covers nearly half of the East Coast’s fuel supply.

The defendants, the collection of entities that make up Colonial Pipeline Company, were forced to take the pipeline offline when on May 7 a ransomware attack “crippled” the infrastructure’s functionality, the suit relays. Days later, the FBI revealed the hacking group “Darkside” was responsible for the attack, the case says. According to the complaint, Colonial Pipeline Company should have foreseen that a cybersecurity breach would cripple the pipeline’s functionality.

“Cybercrime is a well-known risk that should be at the top of any list of potential issues that could occur with respect to infrastructural necessities—like power grids, utilities, and, like in the immediate case, gas pipelines,” the suit reads, highlighting attacks against Ukraine’s power grid in 2015, electrical utilities in the U.S. in 2017 and 2019 and the Solarwinds incident in 2020 as proof enough that the defendants should have been on high alert.

“Each of these high-profile events, along with the scores of well publicized data breaches including Home Depot and Equifax, serve as notice for all critical infrastructures, including the Colonial Pipeline, to adequately protect servers and networks which are used by those infrastructures to supply American citizens with the critical commodities and services they need to function,” the complaint reads.

At this time, the lawsuit says, it is unknown whether Colonial Pipeline Company implemented any of the mitigations and contingencies suggested by the federal Cybersecurity & Infrastructure Security Agency (CISA) in order to protect the pipeline from malicious actors. Similarly unknown, according to the case, is whether the Colonial Pipeline could have maintained fuel transmission operations even while its systems were impacted by ransomware, and if the defendants “decided to shut down the Pipeline simple [sic] to avoid losing some money at the expense of the rest of the economy and national security.” 

Overall, Colonial Pipeline Company fell far short of its obligation to protect the pipeline from the very type of attack that occurred on May 7, wherein the hacker group held operations hostage in exchange for a monetary ransom. As a result of the days spent dealing with the attack and the pipeline’s shutdown, consumers and other end-users faced gas shortages and price increases, the suit says. 

“For the first time in six years, the average price of a gallon of gasoline in the United States exceeded $3—and this was due to the Defendant’s failure to adequately protect their IT systems and then shut down the Colonial Pipeline,” the lawsuit alleges. “This injured Plaintiff(s) and similarly situated class members, along with the U.S. economy through higher gasoline prices for consumers and end-users.”

The lawsuit looks to represent all entities and natural persons who bought gasoline from May 7, 2021 through the present and who paid higher prices for gas as a result of the defendants’ conduct alleged in the complaint.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.