Class Action Looks to Represent Gas Stations Impacted by Colonial Pipeline Ransomware Attack

New to ClassAction.org? Read our Newswire Disclaimer

A Wilmington, North Carolina gas station is the plaintiff in a proposed class action that looks to represent more than 11,000 similar businesses whose customers reportedly faced increased prices and shortages as a result of the Colonial Pipeline ransomware attack. 

The 46-page lawsuit, filed in Georgia on June 21, says the ransomware attack and subsequent five-day shutdown of the 5,500-mile, three million-gallon pipeline in early May 2021, for which the pipeline’s operators ultimately paid $4.4 million to regain access to systems encrypted by cybercriminals, caused not only fuel shortages and price increases but disruptions to proposed class members’ convenience store sales. 

The plaintiff, a business consisting of two gas pumps and a convenience store, places blame for the attack on Colonial Pipeline Company’s apparently intentional, willful and/or negligent failure to have in place adequate and reasonable cybersecurity measures to protect the critical infrastructure. The ransomware attack supposedly went unnoticed for more than a week until it was discovered by the defendant on May 7. The suit says that while many details of the attack, including its root cause, have not been shared with the public, the opening for the perpetrators is reported to be a compromised virtual private network (VPN) password. 

“Plaintiff and Class Members relied on Defendant to keep the Pipeline operating so that Plaintiff and Class Members could sell fuel to their customers,” the complaint stresses. “Defendant had a duty to adopt reasonable measures to ensure the continued and uninterrupted operation of the Pipeline.” 

Per the suit, the defendants’ cybersecurity shortcomings that preceded the pipeline shutdown were “basic and grossly negligent” given the ransomware attack occurred despite advanced knowledge and warnings, including prior cybersecurity incidents involving pipelines. According to the case, Colonial Pipeline Company, in the lead-up to the attack, “repeatedly ignored and rejected” the efforts of regulators to check on its cybersecurity. The company, which the suit notes paid $670 million in dividends to its owners in 2018, “had no plan in place for ransomware attacks” and left running a legacy VPN system without shutting off logins and passwords for old employees, the lawsuit says: 

“At some point in the past, Defendant switched from its old remote access system to one using two-factor or multi-factor authentication. However, when Defendant did so, it inexplicably left its old, less secure system intact and operational. Defendant took no steps to disable or eliminate the old system nor to eliminate the ability of departed employees – or bad actors who have stolen employee credentials – to access it undetected.” 

Among the information stolen by the attackers was customer billing information, and the present location of the data is unknown, the complaint continues. As the suit tells it, the shutdown came not when the perpetrator had reached the pipeline’s operational systems, but when Colonial Pipeline Company “was not sure it could continue to accurately bill for the product moving through its Pipeline.” 

For the plaintiff, the sudden pipeline shutdown was “calamitous” and jeopardized the business, the lawsuit claims. The plaintiff says that even as customers began to scramble for gas around May 10, daily convenience store sales “began to nosedive.” Although the company sold the last of its fuel on May 12, its pumps were not at full capacity again until May 21, per the suit. All told, the plaintiff business, as a result of the Colonial Pipeline ransomware attack and attendant fuel shortage, saw May sales drop nearly $8,000 from the previous month, according to the case.

“Defendant had touted in public relations materials that it placed its obligations to its customers and the public first but this was not the case in this instance,” the lawsuit scathes before noting that the defendant’s payment of the ransom was covered by its cybersecurity insurance. “The nature of the harm to the Plaintiff was foreseeable.”

The lawsuit looks to represent a proposed class that includes all gas stations that experienced a fuel shortage, an increase in the price paid for gasoline or an inability to sell fuel to their customers as a result of the ransomware attack. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.