The Washington PostDemocracy Dies in Darkness

First came the ransomware attacks, now come the lawsuits

Companies that have been locked out of their computer networks by hackers are now getting sued by consumers and workers claiming they were hurt by lax cybersecurity.

A woman asks a gas station worker for assistance as people wait in long lines at an Exxon station on May 12, 2021, in Springfield, Va., after the cyberattack on Colonial Pipeline. (Matt McClain/The Washington Post)

Eddie Darwich and his wife, Abeer, had been running the EZ Mart fuel station on Castle Hayne Road in Wilmington, N.C., for 11 years the day the gas dried up.

At first Darwich was skeptical of the other gas station owners who were calling him with news of a strange computer hack attack on Colonial Pipeline, the company that ran the network of fuel pipes serving much of the East Coast. The pipeline had been shut down, and panicked drivers were buying extra fuel, leading to a run on gas supplies.

“I didn’t believe it,” he said in a recent phone interview. “There’s no way in hell something like this would happen in the United States.”

But it was true. On May 12, five days after an employee in Colonial’s control room discovered the hack, Darwich’s pumps ran dry. He desperately called his supplier, who told him the only thing he could do was wait. Darwich wasn’t the only one who needed gas: Thousands of stations in a dozen states were in the same bind.

“For more than a month I did not see my customers,” he said. “It hurt a lot.”

The anatomy of a ransomware attack

Now he’s suing Colonial Pipeline over those lost sales, accusing it of lax security. He and his lawyers are hoping to also represent the hundreds of other small gas stations that were hurt by the hack. It’s just one of several class-action lawsuits that are popping up in the wake of high-profile ransomware attacks.

Another lawsuit filed against Colonial in Georgia in May seeks damages for consumers who had to pay higher gas prices. A third is in the works, with law firm Chimicles Schwartz Kriner & Donaldson-Smith LLP pursuing a similar effort.

And Colonial isn’t the only company being sued. San Diego-based hospital system Scripps Health is facing class-action lawsuits stemming from a ransomware attack in April.

Cybersecurity lapses at major companies have led to class-action lawsuits and settlements in the hundreds of millions of dollars. Retailer Target paid $10 million to consumers and $39 million to banks after hackers broke into its systems and stole personal information in 2013. Home Depot brokered a similar settlement with shoppers who had their credit card information stolen from the home improvement store’s computers.

CEO Kaseya Fred Voccola descried the impact of a sprawling ransomware attack against the software company on July 4. (Video: AP)

But ransomware attacks have the potential to affect people in ways that go far beyond having their personal information stolen and sold online.

Ransomware hackers deploy software that locks the owner of the targeted computer system out of their machines, and demands a cryptocurrency payment in return for handing back control.

In a world where everything runs on computers, these attacks can cause havoc. Hospitals have had to postpone surgeries. In Southern Maryland, Leonardtown was hit by the sprawling Kaseya IT software hack and lost 17 of its 19 computers, forcing it to stop billing residents for electricity and blocking paychecks from going out to town employees. And in the case of Colonial Pipeline, hundreds of gas stations were shut down, leading to huge lines of cars waiting for what little fuel remained.

Biden tells Putin the U.S. will take ‘any necessary action’ after latest ransomware attack, White House says

The rise in lawsuits may mean companies and organizations that are hacked are no longer just on the hook for reimbursing people who had their data stolen. They could now be liable for all kinds of damages that go well beyond a heightened risk of identity theft or credit card fraud.

“This is an extremely developing and increasing area,” said John Yanchunis, a veteran class-action lawyer with Morgan & Morgan who worked on data breach lawsuits against Yahoo, Equifax and Target. His firm is involved in the lawsuit against Colonial that seeks to represent gas station owners.

American companies are great at selling things, Yanchunis said. But the level of cybersecurity protection at most firms, even giant ones that handle information on millions of people, is still not where it needs to be, he said.

“One thing they have not done and one thing they’re not good at is protecting their information system, because it costs money, and it’s not money that goes to increase profit,” he said.

In the early years of big data breaches, courts were reluctant to acknowledge that having personal information stolen from a company’s computer system could lead to actual harm, said Daniel Solove, a professor at George Washington University Law School and the founder of cybersecurity and privacy training firm TeachPrivacy. But after years of repeated hacks, more courts have begun to recognize that cybersecurity lapses can hurt real people in real ways, he said.

The Cybersecurity 202: Schools are another prime ransomware target

Most cases end up being settled, as companies opt to pay off hacking victims instead of trying to fight costly, protracted court battles.

“Even if you’re going to win, it’s a lot cheaper to settle than it is to fight,” Solove said.

The number of ransomware attacks has ballooned over the last year as more criminals realize the potential for making money and ransomware groups start selling their technology to other, less technically sophisticated criminals.

Whereas traditional cyberattacks meant hackers had to find a buyer for the information they stole to make money, ransomware attacks allow hackers to get paid more quickly and reliably as desperate companies try to regain access to their systems.

Legislators are debating potential solutions, such as dissuading victims from paying hackers by providing them with government money to rebuild their networks. Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, has suggested that the government could require a certain level of security from companies that work in critical fields, like utilities.

But even for companies with relatively good security, hacks can be difficult to completely avoid. It only takes one employee clicking on a fake link or downloading a shady attachment for hackers to break into an otherwise secure system.

Widespread ransomware attack likely hit ‘thousands’ of companies on eve of long weekend

“Companies with good security sometimes have lapses,” Solove said. There isn’t a unified legal standard laying out what sort of security a company needs to have to protect it from liability if it loses its customers’ information or suffers a ransomware attack.

“It really isn’t clear what the standard of care is,” he said. “It’s tricky. All you have to do is fail on one thing.”

That means the potential for lawsuits will keep growing as ransomware attacks do. And if lawyers can reasonably show that a company made some kind of mistake in protecting its system, victims will have an avenue to sue.

In Darwich’s case, it took 10 days before he started getting gas again, all the while watching the big-brand chain gas station down the road from him getting fuel trucked in from elsewhere. The EZ Mart makes most of its money from in-store sales of cigarettes, coffee and snacks, and without gas to draw people, its revenue dropped. By the time Darwich had fuel again, some of his longtime patrons had started going elsewhere.