Ransomware Class Action Suit
The City of Los
Angeles filed a class action lawsuit against Hodes Automation for damages
related to the recent ransomware attack against the City’s traffic light
control system. Harry R. Haldeman announced the lawsuit this morning along with
district attorneys from 25 other Southern California cities. “Not only was
Hodes negligent in the design of their system, but they published a list of
their customers on their web site,” Haldeman told reporters; “That list
provided the hackers easy targets for publicly available exploits.”
Dean Hodes, owner of
Hodes Automation, had no comment, referring reporters to his lawyer, Eunice
Rivers. Rivers’ office issued a statement this morning; “We are looking at the
details of the filing by the District Attorney and cannot comment on the facts
of the case at this time, but Mr. Haldeman is clearly overreaching in trying to
collect expenses the city incurred in their recovery from an incident from my
client.” Rivers noted that Hodes had published an updated version of their
software two weeks before the vulnerability was announced by Robert Lightman,
the researcher who discovered the vulnerability.
Lightman published
his report two months ago on the security bypass vulnerability in the TL
Control program used by Los Angels and thirty other municipalities in Southern
California. “I discovered the vulnerability while doing some work for the city
of Montecito,” Lightman told reporters; “And I worked closely with Hodes to
help them correct the problem.” Lightman explained that he had a disclosure
agreement with Hodes that allowed him to publish his research two weeks after
Hodes made their update available on their web site.
The City of Los
Angeles installed the TL Control system two years ago after the hack
of the Robotron system that the City had been using was discovered. Doug
Wilson, the Los Angeles City Manager told reporters this morning that the city
had decided to work with a local vendor after having problems working with Robotron.
“We felt that a local vendor would be more responsive to our needs,” Wilson
said.
When asked when the city
became aware of the vulnerability in the TL Control product, Wilson told
reporters that he was not able to comment on ongoing litigation. “All questions
about the lawsuit should be referred to Haldeman’s office,” Wilson said.
A technician working
with the Traffic Department who was not authorized to talk to the press told me
that the city never received notification about the vulnerability from Hodes. “We
read about the vulnerability in a newspaper article about the ransomware attack,”
she said.
The Hodes web site
announced the availability of a new version of the TL Control product on
December 2nd. There was no mention of security vulnerability on the
web site. The TL Control web page was taken down early this afternoon, after
the lawsuit was announced.
The lawsuit is
seeking $15 million in damages.
The City Traffic
department announced a request for bids on a new traffic light control system.
The bid request includes new requirements for cybersecurity notifications,
including notifying the Department when vulnerabilities are reported to the
vendor and reporting when the vendor has mitigation measures available for
reported vulnerabilities.
CAUTIONARY NOTE: This is a future news story – Future ICS Security NewsRead More