Allegheny County Airport Authority sues IT company for alleged cybersecurity failures

The Allegheny County Airport Authority this week sued an information technology company, alleging that it failed to properly perform cybersecurity services, leading to vulnerabilities in its network that were ultimately critiqued by the federal government.

The lawsuit against Involta LLC was filed Tuesday in federal court in Pittsburgh.

It includes claims for breach of contract and professional negligence, contending that Involta failed in its cybersecurity obligations — including testing for and then remediating vulnerabilities in the system.

Lisa Bodine, a spokeswoman for Cedar Rapids-based Involta, said the company is reviewing the complaint and does not comment on the substance of pending litigation.

“The situation is unfortunate, but we intend to continue our ongoing discussions with the Airport Authority to find a resolution acceptable to both parties,” she said.

According to the lawsuit, the authority contracted with Involta to provide both IT and cybersecurity services for its computer systems, the complaint said.

The authority operates Pittsburgh International Airport, which serves millions of passengers each year.

The systems are designated as critical infrastructure and subject to “significant physical and cyber security regulations” governed by the U.S. Department of Homeland Security, Transportation Security Administration and the Federal Aviation Administration, according to the lawsuit.

The breach in contract, the lawsuit contends, resulted in significant losses and expenses for the authority, including having to retain additional IT and cybersecurity consultants.

Bob Kerlik, an airport spokesman, said the matters complained of in the lawsuit occurred from 2015 to 2018. “Safety, security and health are always the top priorities, and our IT systems are reliable, safe and secure today.”

He would not comment further, citing pending litigation.

According to the complaint, the authority contracted with Data Recovery Services in 2013 to manage its IT services, and in 2015, Involta bought that company’s assets, taking over the contract with the authority.

Contracts between the parties exceeded $1 million.

Among the duties required in the contract were providing maintenance and software support for servers used by the authority and providing cybersecurity services like vulnerability scans and penetration testing to “determine if vulnerabilities exist that could be exploited by nefarious parties to unlawfully access ACAA systems, devices or data.”

The lawsuit alleges that Involta failed to meet industry standards — including for hardware maintenance, software support and updates and in installing antivirus software on authority servers.

“Despite Involta’s contractual obligation to install patches and updates in a timely fashion, Involta allowed outdated and unpatched software to remain in use at ACAA for excessive periods of time, and Involta left known vulnerabilities unpatched. “

The lawsuit also claims that Involta’s failures related to the authority’s ability to recover data in the event of a disaster.

Had the company properly tested the disaster recovery site, the lawsuit continued, it would have shown that the system would not have been able to accommodate anything more than email in the event of a natural or man-made disaster. That means there would have been a loss of files, data and applications, as well as network disruption, the complaint said.

Involta failed to run an adequate number of vulnerability scans, the lawsuit said. It also failed to resolve problems that were discovered.

“ACAA was unaware of Involta’s errors and omissions until a third-party cybersecurity audit in November 2018 identified them in dramatic fashion,” the lawsuit said.

The complaint does not expand on that statement.

The errors and omissions by Ivolta were so severe, the lawsuit said, that the third-party audit was controlled by federal law as “Sensitive Security Information” that required TSA and Department of Transportation approval to be able to disclose it to a person “without a ‘need to know.’”

In addition,Homeland Security did a review of the authority network and found “critical errors,” that were the sole responsibility of Involta, the complaint said.

To address the failings of Involta, the lawsuit said, the authority hired several third-party vendors, costing about $700,000.

In addition, authority employees spent about 5,000 hours on remedial efforts to mitigate the damage, resulting in an additional loss of $325,000 to the authority, as well as delays on other projects.

The lawsuit notes that the authority attempted to resolve the dispute with Involta, which it says knew of the failures since 2016, from October 2018 until this month to no avail.