CEO Reveals How Easily Colonial Pipeline Hack Could’ve Been Avoided

Joseph Blount

Get Help Now

Schedule a Zoom-session with one of our security experts today!


The Colonial Pipeline hack might not have been the largest hack in recent memory–that probably goes to the SolarWinds, or Microsoft Exchange hacks. But it was definitely the most disruptive.

Within days of ransomware gang DarkSide breaching the country’s largest fuel pipeline, consumers went into a panic. Gas prices skyrocketed. More than half of the gas stations in North Carolina ran out of fuel. In Raleigh, two people were charged with assault after arguing over their place in line at a Marathon station.

gas
Gas prices soared immediately following the Colonial hack. | Source: AP News

Despite DarkSide claiming they didn’t want to cause any problems, they still collected nearly a $5 million ransom from Colonial.

And all of this could’ve been avoided if employees at the pipeline company had taken basic precautions to protect their accounts.

The Colonial Pipeline Hack Came Down to One Password

During an interview with US senators, the head of the Colonial Pipeline revealed that hackers could breach his company by cracking one single password.

Why? Because the breached account didn’t have a second layer of protection.

Colonial Pipeline Chief Executive Joseph Blount said the attack occurred while using a virtual private network (VPN) that didn’t have multi-factor authentication in place.

You can check out the full hearing in this video:

Colonial Pipeline CEO testifies about cyberattack at Senate hearing

Multi-factor authentication means that a code is sent to another device (usually a phone). After entering the normal password, the user must then enter the code to access the account.

In this case, the hackers only needed to steal the regular password without worrying about the second form of authentication.

Blount said,

In the case of this particular legacy VPN, it only had single-factor authentication. It was a complicated password, I want to be clear on that. It was not a Colonial123-type password.

It’s great the password was complicated—all passwords for sensitive accounts should be complex, long, and varied. But any account that contains vulnerable information should always be protected with multi-factor authentication.

Senator Gary Peters, the committee’s chairman, said:

I’m alarmed this breach ever occurred in the first place. Make no mistake: if we do not step up our cybersecurity readiness, the consequences will be severe.

We cannot overlook that such disruptive consequences arose simply because a company didn’t practice good cybersecurity hygiene.

What Is Good Cybersecurity Hygiene?

The security of our personal assets and our nation relies on individuals’ ability to secure their online accounts properly. Cybersecurity is becoming a more pressing issue than ever, and the population needs to become more educated.

Here are a few pieces of cybersecurity hygiene that we should all know and implement:

  • Take your passwords seriously. Passwords are your first line of defense. And for many people, they offer very little resistance. Don’t use personal information, predictable patterns, or the same password for different accounts. Be sure to create long, varied passwords with unpredictable patterns for sensitive accounts.
A few extra characters can go a very long way. | Source: BetterBuys
  • Enable multi-factor authentication. This should be step one whenever you open a sensitive account. Whether it’s your bank account or work account, always be sure to set up two-factor authentication (2FA) on any account that contains your sensitive information.
  • Train employees. The number one way hackers infiltrate accounts is through phishing attempts. Train your employees to spot these imposter emails and make sure they know the basic tenets of cybersecurity hygiene.
  • Invest in cybersecurity software. A Bullguard survey found that one in three small businesses were using free, consumer-grade cybersecurity software. That’s an unacceptable way to protect a business. Invest in high-quality anti-virus and encryption software to protect yourself and your company.
  • Consult with a cybersecurity expert. Talk with an expert to figure the best way to protect you and your business. And always have a plan in place in the event that you are hacked.

At hacked.com, we offer comprehensive protection plans that are perfect for small businesses.

Each protection plan comes with a free consultation to help tailor our packages to suit your needs. If you have any questions about your small business’s cybersecurity, contact us at [email protected] or book a free consultation call today.

Featured image from YouTube.