Cyber Hackers Hit East Coast Colonial Pipeline & New-World Legal Issues Emerge
Cybercriminals forced the East Coast Colonial Pipeline to go offline Friday, impacting 2.25 million barrels of the coast's supply of diesel, petrol, and jet fuel. The breach is considered the most significant energy breach in history.
This cyber-attack impacted about 45 percent of the entire East Coast's fuel and reinforced the ongoing escalation of cyber hackers and their threat to essential services in the US.
In a statement, the FBI confirmed DarkSide was responsible for the cyber attack.
On Monday, DarkSide hackers released a statement saying they didn't mean to hurt anyone.
"Our goal is to make money and not creating problems for society," DarkSide said in a message on their website.
However, the for-profit scheme did indeed wreak havoc on many millions of people and sent a shocking warning out to all government officials. If this is what smaller, profit-seeking hackers can do, what happens when a country such as Russia or China or any nation decides to attack the US infrastructure due to a cyber political war?
From low-level cybercriminals to state-sponsored genius hackers, cybersecurity leaders warn that the array of cyber hackers of every level of expertise could shut down much of the nation's infrastructure.
In a statement released on Saturday, Colonial Pipeline wrote, "Colonial Pipeline continues to dedicate vast resources to restoring pipeline operations quickly and safely. Segments of our pipeline are being brought back online in a stepwise fashion, in compliance with relevant federal regulations and in close consultation with the Department of Energy, which is leading and coordinating the Federal Government's response."
A report by cybersecurity firm Cybereason states DarkSide has victimized over forty organizations, each time demeaning between $200,000 - $2 million in ransom.
Over the past year, hackers have successfully cyber attacked numerous organizations, including hospitals, entire US municipal systems in cities such as Atlanta, law enforcement databases, and even branches of the federal government.
Though unique, dangerous ransomware such as "Ekans" was designed by cyber hackers for cyberattacks upon gas pipelines, victims are not always forthcoming with the public about their attacks. The Cybersecurity and Infrastructure Security Agency reported cybercriminals to have successfully attacked a gas pipeline operator in 2020, but the business name was never published.
The legal landscape of cybersecurity and hacking is growing annually. Every day, 100 businesses in the US experience a data breach. IBM reports that in 2020, the average cost of a cyber breach cost was $3.86 million, but in the United States, the average cost of a data breach for businesses was $8.64 million, making it the most expensive country.
Any organization that collects and stores personal information such as name, email address, social security number, home address, phone, and other data is legally required to create and enforce "reasonable" data protection at all times.
Attorneys must deal with different cybersecurity laws in different states. Across the US, each state deals with legal liabilities for company data breaches in various manners, but the law requires firms to protect data and client's and consumer's privacy.
If a business gets hacked, there are numerous things the organization can do to lessen the legal implications, such as:
· Immediately notify employees and clients.
· Plan a crisis response for any cyber hacks now, and implement it if this occurs later.
· Work with an attorney to see if the company needs to pay fines. An attorney may recommend running a forensics investigation as well.
· If owners do not send a notice to employees and clients, do not have a response plan ready, and do not immediately install new security measures, their firm may end up in litigation.
Legal firms are also the victims of cybercrimes. The American Bar Association (ABA) has expanded its insurance coverage to include cyber insurance for law firms, considering the sensitive data each firm handles. The ABA also created expanded guidance for law firms since "lawyers have a duty to notify clients of a data breach, and details the reasonable steps they should take to meet ABA model rules."
In "Formal Opinion 483" the ABA notes all attorneys must plan for a possible cyber attack and understand how "model rules come into play" if detected or suspected.
"When a breach of protected client information is either suspected or detected, (the competence rule) requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach," Formal Opinion 483 says. "Lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach," the opinion continues. "The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach."
As legal firms gear up for more cyber attacks upon their law firms or clients, attacks keep occurring and growing in occurrence in every sector.
In the first three quarters of 2020, RiskBased reported 36 billion data records exposed online.
Between January 2005 and May 2020, another study reports 11,762 reported data breaches. Due to state laws that impose different fines and rules for businesses, and the fear of being seen in a negative light by the public, many firms may not report their cyber breaches.
Verizon reports 86 percent of 2020 data breaches were focused on financial profit, while 10 percent of cyber hacks were done for espionage, including government and business data theft.
As for the gas line cyber breach, Colonial Pipeline reported they took their systems offline on Friday after the cyber-attack and restored service.
