Cybersecurity lapses at major companies have led to big class-action lawsuits and settlements in the hundreds of millions of dollars. Retailer Target eventually paid $10 million to consumers and $39 million to banks after hackers broke into its systems and stole personal information in 2013. Home Depot brokered a similar settlement with shoppers who had their credit card info stolen from the home improvement store’s computers.
But ransomware attacks have the potential to affect people in ways that go far beyond simply having their personal information stolen and sold online.
Ransomware hackers deploy software that locks the owner of the targeted computer system out of their machines, and demands a cryptocurrency payment in return for handing back control.
In a world where everything runs on computers, these attacks can cause havoc. Hospitals have had to postpone surgeries. A small Maryland town hit by the sprawling Kaseya IT software hack lost 17 of its 19 computers, forcing them to stop billing residents for their electricity and blocking paychecks from going out to town employees. And in the case of Colonial Pipeline, hundreds of gas stations were shut down, leading to huge lines of cars waiting for what little fuel remained.
Eddie Darwich and his wife Abeer had been running the EZ Mart fuel station in Wilmington, N.C., for 11 years the day the gas dried up.
At first he was skeptical of the other gas station owners who were calling him with news of a strange computer hack attack on Colonial Pipeline, the company that ran the network of fuel pipes serving much of the U.S. East Coast. The pipeline had been shut down, and a rush on gas was brewing as panicked drivers bought extra fuel.
“I didn’t believe it,” he said in a recent phone interview. “There’s no way in hell something like this would happen in the United States.”
But it was true. On May 12, five days after an employee in Colonial’s control room discovered the hack, Darwich’s pumps ran dry. He desperately called his supplier, who told him the only thing he could do was wait. Darwich wasn’t the only one who needed gas: Thousands of stations in a dozen states were in the same bind.
“For more than a month I did not see my customers,” he said. “It hurt a lot.”
Now he’s suing Colonial Pipeline, accusing it of lax security, to get some of that money back. He and his lawyers are hoping to also represent the hundreds of other small gas stations that were hurt by the hack. It’s just one of several class-action lawsuits that are popping up in the wake of high-profile ransomware attacks.
Another lawsuit filed against Colonial in Georgia in May seeks to get damages for regular consumers who had to pay higher gas prices. A third is in the works, with law firm Chimicles Schwartz Kriner & Donaldson-Smith LLP seeking to mount a similar effort. Colonial isn’t the only company that’s been targeted. Another suit was launched in June against the San Diego based hospital system Scripps Health after it was hit by a ransomware attack.
The rise in suits may mean companies and organizations that are hacked are no longer just on the hook for reimbursing people who had their data stolen. They could now be liable for all kinds of damages that go well beyond a heightened risk of identity theft or credit card fraud.
“This is an extremely developing and increasing area,” said John Yanchunis, a veteran class action lawyer with Morgan and Morgan who worked on data breach lawsuits against Yahoo, Equifax and Target. His firm is involved in the lawsuit against Colonial which seeks to represent gas station owners affected by the hack.
American companies are great at selling things, said Yanchunis. But the level of cybersecurity protection at most firms, even giant ones that handle millions of peoples’ information, is still not where it needs to be, he said.
“One thing they have not done and one thing they’re not good at is protecting their information system because it costs money, and it’s not money that goes to increase profit,” he said.