Colonial Pipeline had no specific plan for what to do in the event of a ransomware attack, its CEO said Tuesday.
Testifying before the Senate Homeland Security and Governmental Affairs Committee, CEO Joseph Blount admitted that while his company had some basic cybersecurity plans in place, it had had “no discussion about ransom” before the attack.
His comments come as U.S. institutions and companies are scrambling to guard against a rash of ransomware attacks that have hit everything from schools and hospitals to cities and major industrial players such as Colonial and meat supplier JBS.
Blount’s statements drew the ire of some of the senators at the hearing.
“It is a stunning admission that Colonial Pipeline did not have a plan in place if hackers requested a ransom payment,” Sen. Maggie Hassan, D-N.H., said in a statement after the hearing. “I’ve talked with small school districts in my state of New Hampshire that are better prepared for cyberattacks than Colonial Pipeline was,” she said.
A Russian criminal hacker group called DarkSide infected Colonial in May. Blount shut down all operations for five days while it tried to safely get back online, and the fallout resulted in gas shortages at some U.S. stations. Colonial operates the largest fuel pipeline in the U.S.
Ransomware attacks, where hackers breach an organization’s computer networks and encrypt its files or threaten to leak them to the public, have steadily grown in number for several years. Often based in Russia or other countries that don’t have an extradition treaty with the U.S., such hackers target practically any kind of internet connected entity they can.
There have been more than 1,000 confirmed ransomware incidents in the U.S. in 2021, according to figures that the cybersecurity firm Recorded Future compiled for NBC News, though the actual number is believed to be far higher.
In the hearing, Blount also confirmed previous reporting that the hackers broke into Colonial by hacking into an older account that did not use two-factor authentication, meaning that it was protected by only a password. A basic and often essential cybersecurity step, two-factor authentication requires someone trying to log in to prove they have a second way of verifying their identity besides just that password, such as access to a smartphone associated with that account.
Blount admitted it was poor cybersecurity to not use the tactic, but defended the password as complicated, saying “it was not a ‘colonial123’-type password.”
The CEO also defended his decision to pay the hackers $4.4 million in bitcoin for a decryptor program, even though Colonial eventually restored its systems by using its own backups.
Exploring every possible option to renew service as quickly as possible “was the right thing to do for the country,” Blount said in his prepared testimony.
Unlike most ransomware victims that choose to pay, Colonial was able to get back much of the money it paid to its hackers. The Department of Justice announced Monday that it had recovered $2.3 million of the payment, a rare success.