Colonial Pipeline: Attack Exposed Personal DataCompany Says Employees' Personal Data Compromised
The ransomware attack that targeted Colonial Pipeline Co. in May compromised the personal information of more than 5,800 individuals - mainly current or former employees - according to a data breach notification letter the company provided to the Maine attorney general's office.
In a notification letter being sent to individuals affected by the breach, Colonial Pipeline notes that an investigation into the ransomware attack, which was discovered on May 7 and led to major fuel delivery disruptions along the East Coast of the U.S., uncovered that personally identifiable information was compromised by the attackers.
The exposed data includes names, contact information, dates of birth and Social Security numbers, as well as other types of government-issued identification information, such as military and tax IDs and driver's license numbers. The breach also compromised certain healthcare-related information, according to the notification letter.
"Not all of this information was affected for each impacted individual," according to the letter.
As a result of an investigation, "we learned that an unauthorized party acquired certain personal information in connection with the attack," a Colonial Pipeline spokesperson tells Information Security Media Group. "We have begun the process of directly notifying individuals whose relevant personal information was acquired, and we are offering complimentary credit monitoring services to those individuals. Most of the impacted individuals are current or former Colonial employees and, in some cases, their beneficiaries or dependents."
Colonial Pipeline is offering those affected by the breach two years of prepaid credit monitoring services, according to the notification letter.
The ransomware attack against Colonial Pipeline was discovered in the early morning of May 7. The company made a decision to shut down most of its operations to prevent the crypto-locking malware from spreading from the IT system to the firm's OT systems, CEO Joseph Blount later testified before a House committee investigating the incident (see: House Probes Specifics of Colonial Ransomware Attack).
Blount also testified about paying the ransomware gang that conducted the attack about $4.4 million in ransom to obtain a decryption key, although the company was able to recover most of its systems through backups. The FBI later recovered about $2.3 million paid to the attackers.
Congressional testimony by incident response firm FireEye, which Colonial Pipeline hired to conduct an investigation, later revealed that the attackers appeared to have compromised the company's network on April 29, using credentials for a legacy VPN application that the IT team had been unaware was still attached to the network. The VPN also lacked protections such as multifactor authentication, according to the testimony of Charles Carmakal, CTO of FireEye.
Bloomberg reported that the cybercriminals appeared to have exfiltrated about 100GB of company data from the firm's network on May 6 during a two-hour span and planned to release the stolen data if the ransom demands were met.
The Colonial Pipeline spokesperson says that the company is continuing to investigate the attack, including what personal data may have been compromised during the incident.
While the disruption to Colonial Pipeline's operation was the main cause of concern of this attack, Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council, says it's not surprising that the company is now discovering that personal data was also compromised.
"This is the second hammer that falls: a painstaking effort to determine what, if anything, was stolen," says Hamilton, now the CISO for Critical Insight. "Because the ransomware operators are known to gain persistence for quite some time prior to pulling the encryption trigger, there is ample opportunity to take records - whether to hold as additional leverage for the ransom to be paid or to monetize independently."
Andrew Barratt, managing principal at security consulting firm Coalfire, also notes that the incident involving Colonial Pipeline shows that a ransomware attack can be more than a disruption of services to customers.
"Most people assume that a ransomware attack is just a 'business interrupt' event, but really we need to consider that the malware being used is often a multi-headed hydra capable of many, many things," Barratt says.
Following the attack, the FBI announced that it had determined that a Russian-speaking ransomware-as-a-service gang called DarkSide had been responsible.
After the attack and the FBI clawing back part of the ransom, DarkSide appeared to have shuttered its operations, although some security experts now believe that one of the gang's affiliates has resurfaced as a group called BlackMatter (see: BlackMatter Ransomware Appears to Be Spawn of DarkSide).
Fabian Wosar, CTO of security firm Emsisoft, has said the ransomware code used by BlackMatter shares many characteristics of the DarkSide code, which means it's extremely likely they're the same.
The attack against Colonial Pipeline, along with other ransomware attacks conducted by cybercriminal gangs that appear to operate within Russia's borders, was a major point of discussion between President Joe Biden and Russian President Vladimir Putin when the two met in Geneva in June. While Putin denied his government had any hand in these attacks, the U.S. pushed the Russian government to crack down on these groups (see: Analysis: The Cyber Impact of Biden/Putin Summit Meeting).
Meanwhile, the White House and the U.S. Department of Homeland Security have issued new cybersecurity guidelines for the owners and operators of oil and gas pipelines in response to the attack on Colonial Pipeline. Additional measures are expected as well (see: Biden Calls for Critical Infrastructure Security Standards).