Lessons Learned from the Colonial Pipeline Hack (and Other Data Breaches)

September 7th, 2021

One of the largest and most disruptive cyberattacks in years occurred in May 2021, when Colonial Pipeline—a major supplier of gasoline and jet fuel to the American Southeast—was hacked and had its computer systems held for ransom.

Despite making the ransom payment within hours of the attack, the pipeline remained shut down for six days, and full service wasn’t restored for more than a week. In the meantime, flights were grounded, stations ran out of fuel, and shortages triggered price spikes and panic buying across the East Coast.

The Colonial Pipeline incident is just one of the most recent major examples of catastrophic data breaches, which seem to be more and more common each year. But while high-profile targets like Colonial Pipeline understandably get most of the media attention, hackers don’t only go after the biggest corporations. Any company could be at risk—including yours.

What Happened? A Brief Summary of the Colonial Pipeline Hack

On May 6, 2021, hackers believed to be associated with DarkSide, a cybercriminal group likely based in Russia, used a compromised password to steal more than 100 GB of data from Colonial Pipeline servers.

They then launched a ransomware attack that shut down Colonial Pipeline’s billing system and locked the company out of its computers, and demanded payment of about $5 million worth of the cryptocurrency Bitcoin to restore access.

By the following day, Colonial Pipeline shut down all pipeline operations to contain the attack, and paid the ransom. The hackers sent software to restore the computer systems, but it worked very slowly.

Because Colonial Pipeline runs from Texas to New Jersey and supplies roughly half of the fuel consumed on the East Coast, the multi-day shutdown led to price spikes, panic buying, and fuel shortages in several regions. President Biden declared a state of emergency to lift transport restrictions by road on May 9 to help limit the fuel supply crunch.

By May 12, Colonial Pipeline was able to restart operations, and within a few days were back to full operational capacity. But the effects on the public would continue to linger. By May 14, almost nine out of ten gas stations in Washington D.C. were out of fuel, and more than 10,000 stations across the country were still out even on May 18.

On June 7, the U.S. government announced it has recovered some, though not all, of the ransom.

What Can CIOs and IT Professionals Learn from the Colonial Pipeline Attack?

Your company may not be massive or considered critical infrastructure, like Colonial Pipeline. But your company certainly is critically important to your and your employees’ livelihoods.

And the unfortunate reality is that cyberattacks on small businesses are on the rise. About 43% of all cyberattacks target small businesses, and more than half (60%) of the targeted companies are out of business within six months. If you care about protecting your business—and we know you do—cybersecurity is something you can no longer afford to ignore.

Here are some of the key takeaways—not only from the Colonial Pipeline attack, but also the countless other data breaches from recent years.

Lesson One: Use Multifactor Authentication

In testimony to Congress, Colonial Pipeline CEO Joseph Blount said that the hackers gained access using only a single password they had uncovered to a legacy VPN (virtual private network) that did not have multifactor authentication.

What is multifactor authentication? Basically, it means that in addition to supplying the correct password, the user must complete a second step (for example, supplying a one-use code sent via text message) to gain access.

If you have multifactor authentication set up, even hackers who manage to get (or guess) your user ID and password might be prevented from gaining access—and if they even try, you may be alerted to the breach in time to change your password.

If you don’t have multifactor authentication set up, however, even the longest and most secure password in the world won’t help you if it falls into the wrong hands.

RELATED: Multifactor Authentication on Everything!

Lesson Two: Don’t Pay the Ransom

Colonial Pipeline made the decision to pay up, supplying the hackers with almost $5 million worth of Bitcoin just hours after the attack began. That’s a decision that their CEO has defended, amid significant criticism.

However, there are several reasons why the FBI, data security experts, law enforcement agencies, and other organizations strongly suggest you don’t pay:

  • It encourages further attacks, putting your company (and everyone else) at increased long-term risk.
  • There’s no guarantee that the hackers will give you a decryption key to restore your access once you pay.
  • Even with a valid decryption key, some or all your data might be missing or damaged.
  • There’s no guarantee that the hackers won’t retain “back door” access that allows them to do further damage even once systems are restored.

If you believe you’ve been the victim of a hack, report it to law enforcement as soon as possible.

Lesson Three: Make Regular Backups (and Have a Disaster Recovery Plan)

Backing up your systems regularly—and having a way to test, scan, verify, and quickly restore those backups when needed—can be the difference between a quick rebound from a hack versus a multi-day IT outage and/or permanent loss of critical data.

A robust disaster recovery plan not only protects you from cyberattacks, but also scenarios like human error, malicious behavior by a disgruntled employee, hardware failure, or even natural disasters.

In addition to on-site backups (which are your first line of defense), having your data backed up in the cloud gives you an added layer of protection in case your backup servers (or entire site) go down.

RELATED: Veeam Backup and Recovery Can Help You Rebound From Cyberattacks Fast

Lesson Four: Monitor and Update Regularly

Cybersecurity is not “set it and forget it.” The technology and tactics used by cybercriminals are always evolving, and that means firewalls that seemed impenetrable two years ago may now be full of holes.

Your approach to cybersecurity must be consistent and ongoing. For example:

  • Actively monitor your systems. In many cases, hackers initially gain access to your system days or even weeks before launching an attack. Advanced anti-malware tools can often detect anomalous activities on your computer network and may help you stop an attack before it even starts.
  • Apply software updates and patches to cybersecurity systems as soon as they are released. Ideally this will be done automatically, rather than manually.
  • Review your cybersecurity tools, procedures, and infrastructure regularly. Sometimes patches alone aren’t enough. As new tools and technologies are developed, your company should remain up to date as your needs and budget allow. Review everything at least yearly, if not quarterly.

Lesson Five: Establish (and Follow) Documented Procedures

Remember when we said that Colonial Pipeline was compromised due to a single legacy VPN that hadn’t been upgraded to multifactor authentication? Although the VPN was considered obsolete and no longer in (legitimate) use, it was still connected to critical systems.

In most cases, this is the kind of mistake that is much more likely to be caught if your company has implemented standard procedures and basic checks for system upgrades, as well as decommissioning obsolete access points.

Lesson Six: Train Every Employee

It’s a mistake to assume that good cybersecurity is merely a matter of having the right technology. Computers aren’t the only machines capable of being compromised or manipulated. People can be, too.

Sometimes all it takes is one inattentive or gullible employee clicking on a malicious link from a phishing email, and the criminals are into your systems. That’s why it’s vitally important that every employee goes through cybersecurity awareness training, knows how to recognize suspicious requests and emails, and knows the steps to take if they receive one.

RELATED: Outsourcing May Be Your Answer to Growing Security and Compliance Complexity

Need Help with Cybersecurity? Virtual Systems Can Help

If your company is like most, your IT team is already stretched to capacity, focusing on other business priorities. Keeping up with cybersecurity best practices, unfortunately, often falls through the cracks. And if vulnerabilities are exploited, the consequences can be catastrophic—not just for you, but potentially your customers, vendors, and others who depend on you.

Virtual Systems offers advanced cloud security solutions for businesses of any size. Our team of cybersecurity experts help you design and implement flexible, scalable security solutions that keep your data safe, support your business goals, and fit your budget.

Need help making your business more secure? We’d love to hear from you! Drop us a line using our secure contact form and our team will get back to you promptly.


Kelly, S., & Resnick-Ault, J. (June 8, 2021). One password allowed hackers to disrupt Colonial Pipeline, CEO tells senators. Reuters. Retrieved from https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08/

Thorbecke, C. (May 17, 2021). Gas hits highest price in 6 years, fuel outages persist despite Colonial Pipeline restart. ABC News. Retrieved from https://abcnews.go.com/US/gas-hits-highest-price-years-fuel-outages-persist/story?id=77735010

Turton, W., Riley, M., & Jacobs, J. (May 13, 2021) Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom. Bloomberg. Retrieved from https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom

Steinberg, S. (Oct 13, 2019). Cyberattacks now cost companies $200,000 on average, putting many out of business. CNBC. Retrieved from https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html

Leave a Reply

Let's Talk