The City of Los Angeles filed a class action lawsuit against Hodes Automation for damages related to the recent ransomware attack against the City’s traffic light control system. Harry R. Haldeman announced the lawsuit this morning along with district attorneys from 25 other Southern California cities. “Not only was Hodes negligent in the design of their system, but they published a list of their customers on their web site,” Haldeman told reporters; “That list provided the hackers easy targets for publicly available exploits.”
Dean Hodes, owner of Hodes Automation, had no comment, referring reporters to his lawyer, Eunice Rivers. Rivers’ office issued a statement this morning; “We are looking at the details of the filing by the District Attorney and cannot comment on the facts of the case at this time, but Mr. Haldeman is clearly overreaching in trying to collect expenses the city incurred in their recovery from an incident from my client.” Rivers noted that Hodes had published an updated version of their software two weeks before the vulnerability was announced by Robert Lightman, the researcher who discovered the vulnerability.
Lightman published his report two months ago on the security bypass vulnerability in the TL Control program used by Los Angels and thirty other municipalities in Southern California. “I discovered the vulnerability while doing some work for the city of Montecito,” Lightman told reporters; “And I worked closely with Hodes to help them correct the problem.” Lightman explained that he had a disclosure agreement with Hodes that allowed him to publish his research two weeks after Hodes made their update available on their web site.
The City of Los Angeles installed the TL Control system two years ago after the hack of the Robotron system that the City had been using was discovered. Doug Wilson, the Los Angeles City Manager told reporters this morning that the city had decided to work with a local vendor after having problems working with Robotron. “We felt that a local vendor would be more responsive to our needs,” Wilson said.
When asked when the city became aware of the vulnerability in the TL Control product, Wilson told reporters that he was not able to comment on ongoing litigation. “All questions about the lawsuit should be referred to Haldeman’s office,” Wilson said.
A technician working with the Traffic Department who was not authorized to talk to the press told me that the city never received notification about the vulnerability from Hodes. “We read about the vulnerability in a newspaper article about the ransomware attack,” she said.
The Hodes web site announced the availability of a new version of the TL Control product on December 2nd. There was no mention of security vulnerability on the web site. The TL Control web page was taken down early this afternoon, after the lawsuit was announced.
The lawsuit is seeking $15 million in damages.
The City Traffic department announced a request for bids on a new traffic light control system. The bid request includes new requirements for cybersecurity notifications, including notifying the Department when vulnerabilities are reported to the vendor and reporting when the vendor has mitigation measures available for reported vulnerabilities.
CAUTIONARY NOTE: This is a future news story -