Single password gave Colonial Pipeline hackers access

JOSEPH BLOUNT: “I believe with all my heart it was the right choice to make.”

Colonial Pipeline CEO Joseph Blount on Tuesday defended his decision at a Senate hearing to pay ransom to hackers who caused the most disruptive U.S. cyberattack on record, adding that they were able to get into the system because the company did not have a multifactor authentication in place.

SENATOR PORTMAN: "Prior to the attack, did your company require all employees to use multifactor authentication?"

JOSEPH BLOUNT: "Ranking member Portman, in the case of this particular legacy VPN, it did only have a single factor authentication. It was a complicated password. So I want to be clear on that. It was not a 'Colonial123' type password."

SENATOR PORTMAN: "So would your advice going forward be that multifactor authentication ought to be used?"

JOSEPH BLOUNT: "Ranking member Portman, that's absolutely the correct advice."

Security experts recommend two-factor authentication, which requires a secondary measure like a mobile text or hardware token, and most major companies require this.

The FBI attributed last month’s hack – which disrupted fuel supplies to the U.S. Southeast and caused a days-long shutdown that led to a spike in gasoline prices and panic buying – to a Russia-based cybercrime group called DarkSide.

Colonial Pipeline paid the hackers nearly $5 million dollars to regain access.

But The Justice Department on Monday said it had recovered some $2.3 million dollars in cryptocurrency ransom paid by the company.

The DOJ has urged companies to inform authorities whether they paid ransom to cyberattackers.

But during Tuesday’s hearing, Blount said he believed that the issue of paying the ransom did not come up in conversations with the FBI the day of the attack.

PORTMAN: “What did the FBI tell you? What did they advise you to do in regards to paying the ransom?”

JOSEPH BLOUNT: “Ranking member Portman, I believe I was not involved in those conversations with the FBI, but in discussions with my team, I don’t believe that the discussion about the ransom actually took place the first day May 7th, but I do agree that their position is they don’t encourage the payment of ransom, it is a company decision to make.”

PORTMAN: “So you knew what their advice was going to be even though they didn’t provide it that day?”

JOSEPH BLOUNT: “Ranking member Portman, yes sir we did.”

Blount said even after getting the key from the hackers, the company is still recovering from the attack.

SENATOR PETERS: “How long do you think it’ll take for you to be 100 percent?”

JOSEPH BLOUNT: “I think what a lot of people don’t realize with cyberattacks and the repercussions of a cyberattack is that it takes months and months and in some cases, what we’ve heard from other companies that have been impacted years to restore your systems. Our focus that first week was to restore the critical systems that we needed on the IT side in order to safely and securely bring our pipeline system back up.”