Several states have declared a state of emergency after the cyberattack on Colonial Pipeline due to consumers panic buying fuel. This is leading to shortages with impact across 18 states. Per CISA, Colonial Pipeline has not revealed any technical details of the attack to them as of Tuesday morning. The company had reached out to the FBI, but not CISA.
Congress has already noted the incident, citing it in hearings this week which were in follow up to the SolarWinds breach.
In a follow up to the DC police department breach, after a week of silence, the Babuk ransomware gang has posed another round of documents, which the department has verified as genuine. The group’s message “You still have the ability to stop it.” Additionally, the group has announced they are moving to an extortion only model and will close their affiliate program.
Insurance company AXA has revealed that, at the request of the French government, it will stop reimbursing ransom payments in France. Policies will still cover the cost of recovery. Think that’s just international? State lawmakers in North Carolina are considering a law to ban paying ransoms to hackers.
Why do we care?
The headline – ransomware hits pipeline, and you pay at the pump. That’s what consumers are walking away with.
But let’s talk consequences. So where are the consequences for a breach?
Flash forward to another breach that still is top of mind. CRN reported recently that the SolarWinds executives were paid their entire 2020 performance based compensation after overseeing the most significant supply chain breach in history.
They really learned their lessons, didn’t they? I’m sure those leaders are really going to take security seriously going forward, because they really felt the sting of that one. Now, do we think anyone at Colonial Pipeline will be responsible for their mistake?
Here’s the squeeze – criminals are clearly acting, and we should be pursuing them. Criminals are out to be paid – and they ARE. But that said, if the only consequence is a financial loss, it’s no surprise insurance companies happily go along with the request to stop paying. Who do you think victims will come for next for damages?
But if the only consequence is financial… will it really stop? I made the prediction for 2021 that someone will be hit with criminal negligence charges. The pressure is mounting. Consumers are feeling this cost right in their pocketbooks. Insurance companies are pushing back. And the next rounds of real targets are clearly technology companies… who at first glance appear not to be paying a price.