Skip to content


ORX News


ORX News Community

Deep Dive - Aug 2021

ColPipe pays USD 4.4 million ransom following cyber-attack disrupting operations for six days.

On 8 May 2021, CNN reported that a ransomware attack had forced one of the US’s largest pipelines operated by Colonial Pipeline (ColPipe) to shut down operations. On 13 May 2021, Bloomberg reported that on 7 May 2021, hours after the attack had been discovered, ColPipe paid a USD 5 million ransom in cryptocurrency to cyber-criminal gang DarkSide. On 19 May 2021, ColPipe's Chief Executive Officer (CEO) confirmed it had paid a ransom of USD 4.4 million (EUR 3.7 million).
Find out more about this major operational risk loss event by downloading the free Deep Dive from ORX News.

The Deep Dive, usually only available to ORX News subscribers, provides vital information about this information security event, including:
  • A detailed explanation of the event
  • Attack method
  • Internal risk factors, including system security, software and remote working
  • External risk factors, including the hacking group and attack methodology 
  • Remedial measures taken in response to the event
  • Financial and non-financial impacts
Download the free Deep Dive for all this information and more.

Executive summary

CNN reports that ColPipe was founded in 1962 and transports 45 per cent of all gasoline, diesel and jet fuel consumed on the US East Coast. The BBC reported on 9 May 2021 that cyber-criminal gang DarkSide had been officially confirmed as responsible for the incident by the US Federal Bureau of Investigation (FBI). DarkSide is one of many ransomware gangs extorting victims while avoiding targets in post-Soviet states. The groups gain access to private networks, encrypt files using software, and often also steal data and demand payment to decrypt the files and/or ask for additional money not to publish stolen content. ColPipe said it learned about the attack on 7 May 2021. According to Reuters, the hacking group gained access to ColPipe’s cloud computing system and stole over 100 gigabytes (GB) of data which the hackers threatened to leak online. The system was taken offline on 8 May 2021. Reuters also reports that ColPipe's data did not appear to have been transferred from that system to anywhere else, potentially limiting the hackers' leverage to extort or further embarrass the company.

In response to the incident, ColPipe said it had taken certain systems offline to contain the threat which had temporarily halted all pipeline operations and affected some IT systems. ColPipe also engaged third-party firm FireEye Mandiant to investigate the incident and contacted law enforcement and other federal agencies. On 9 May 2021, ColPipe stated that although its four main pipelines remained offline, some smaller inter-terminal lines and delivery points had been re-opened.

The US Department of Energy (DoE) said it was coordinating with ColPipe, US states, and interagency partners to provide situational awareness and support response efforts to the incident. In addition, the DoE was working closely with analysis centres and the energy sector coordinating councils and the sharing of energy information and was monitoring any potential impacts to energy supply. US President Joe Biden was briefed, and the White House had planned for a number of scenarios to help mitigate any potential impact on supply.

The US Department of Transport (USDOT) announced on 9 May 2021 that it had issued a regional emergency declaration following the incident that granted extra work hours for those transporting gasoline, diesel, jet fuel and other refined petroleum products to 18 eastern states.

As of 11 May 2021, ColPipe announced on Twitter that its systems were still not fully functional, and that due to a separate incident unrelated to the ransomware attack its corporate website was experiencing a temporary service disruption. On 13 May 2021, Bloomberg reported that on 7 May 2021, hours after the attack had been discovered, ColPipe paid a USD 5 Deep Dive. Last Update 28 May 2021 million ransom in cryptocurrency to DarkSide. After they had received the payment, the hackers provided ColPipe with a decrypting tool to restore its disabled computer network, but the tool they provided was too slow, so the company used its own backups to help restore the system. Reuters reported that the disruption had lasted a total of six days.

On 19 May 2021, ColPipe's CEO confirmed that he had authorised the payment of a ransom of USD 4,400,000 on 7 May 2021 after an employee found a ransom note from hackers on a control-room computer, as ColPipe's executives were unsure how badly the cyber-attack had breached its systems and therefore how long it would take to bring the pipeline back, The Wall Street Journal reports.

Download the Deep Dive

Fill in the form below to get your free copy of the Deep Dive exploring the ColPipe loss event.

About ORX News

ORX News is the industry’s leading source of operational risk loss events. Firms can subscribe for exclusive data and analysis tailored to the banking, insurance, and asset management sectors.

How does it work?

Our team of dedicated researchers can collectively speak over seven major languages. Accessing recent operational and non-financial risk (ONFR) loss events is made effortless through the ORX News website, where they are summarised in English, categorised, searchable, and exportable. ORX News keeps you informed and connected with the latest ONFR developments and you can use the data for modelling, benchmarking and scenarios.

Find out more about ORX News


Disclaimer: ORX has prepared this resource with care and attention. ORX does not accept responsibility for any errors or omissions. ORX does not warrant the accuracy of the advice, statement or recommendations in this resource. ORX shall not be liable for any loss, expense, damage or claim arising from this resource. The content of this resource does not itself constitute a contractual agreement, and ORX accepts no obligation associated with this resource except as expressly agreed in writing. ©ORX 2024


Lily Richardson

Lily Richardson

News Manager, ORX

Natasha Smith-Craig

Natasha Smith-Craig

Assistant Research Manager, ORX

Helen L’Abbate

Helen L’Abbate

Head of Services, ORX


Want to read more Deep Dives from ORX News? 

Become an ORX News subscriber to read about operational risk loss events from around the world.


Find out more about ORX News