Colonial Pipeline sends breach letters to more than 5,000 after ransomware group accessed SSNs, more

Colonial Pipeline said the leaks involved the personal information of current and former employees.
Written by Jonathan Greig, Contributor

Colonial Pipeline is sending out breach notification letters to 5,810 current and former employees whose personal information was accessed by the DarkSide ransomware group during an attack in May

The company admitted in an August 13 letter that on May 6, the ransomware group "acquired certain records" stored in their systems. 

"The affected records contained certain personal information, such as name, contact information, date of birth, government-issued ID (such as Social Security, military ID, tax ID and driver's license numbers) and health-related information (including health insurance information). Not all of this information was affected for each impacted individual," the letter said. 

Bloomberg reported in May that before locking down the pipeline's business systems, the group stole almost 100 GBs of data

Colonial Pipeline said it was offering victims of the hack two free years of "identity restoration" and credit monitoring services from Experian. They urged those affected to check their credit reports for any unauthorized activity. 

The letter was first reported by Bleeping Computer and a company official confirmed to CNN Business that personal information was lost during the ransomware attack. 

The attack on Colonial Pipeline, which left significant parts of the East Coast without gas for several days, kicked off a swift change in the government's response to ransomware incidents. Since the attack, multiple new regulations have been released for critical industries in general as well as the oil and gas industry specifically. 

Colonial ended up paying a ransom of $4.4 million to the DarkSide group due to the urgency of the gas crisis, but US law enforcement managed to get a portion of it back

Due to increased law enforcement interest globally, the people behind DarkSide shuttered their operation and some members reformed under a new name: BlackMatter. 

The Record spoke with the operators behind BlackMatter, who specifically cited the Colonial Pipeline attack as "a key factor for the closure of REvil and DarkSide," adding that the group has now "forbidden that type of targeting and we see no sense in attacking them."

Editorial standards