Ohio’s capital says July ransomware attack leaked info of 500,000

A ransomware attack on the city of Columbus, Ohio that stirred up a high-profile lawsuit this summer exposed the information of more than 500,000 current and former residents, according to data breach filings made on Friday. 

The city government said names, birthdays, addresses, bank account information, Social Security numbers, drivers’ licenses and other information on resident interactions with arms of the Columbus government were posted on the dark web. 

The incident was uncovered on July 18, when the city — Ohio’s state capital — said a “foreign cyber threat actor” attempted to “disrupt the City’s IT infrastructure in a possible effort to deploy ransomware, and solicit a ransom payment” from the government. 

“The Incident was discovered expeditiously, cybersecurity experts were retained, and security measures were implemented to contain the Incident,” the city said. “Despite these efforts, data purported to have been obtained from the City was posted on the dark web.”

The incident caused an uproar in Columbus this summer after city officials initially told the public that resident data was not taken or published by the hackers. The city released a statement at the time claiming they had “thwarted” the ransomware attack and were able to “significantly limit potential exposure.”

The city caused further outrage among cybersecurity professionals after suing a researcher who accessed the stolen information and proved the city was not being truthful about how available the data was. 

Last week, the city dropped the lawsuit against the researcher, Connor Goodwolf, after he agreed to a permanent injunction that says he is only allowed to share parts of the stolen data leak that are considered public record. He can only share the information with written approval from the city. 

“My other goal is for the city to have a method available to talk with a person who can manage reports involving sensitive information, as I made several attempts only to be told ‘the mayor’s office and DOT is handling the hack’ and having my reporting fall to deaf ears,” Goodwolf told the local NBC affiliate. . 

“After speaking with others, the city has a long road ahead of rebuilding the trust with the cybersecurity community, as damage was done by bringing the civil suit against a good faith security researcher.”

The ransomware attack was claimed by the Rhysida ransomware group, which said it stole 6.5 terabytes of information from the city’s systems and declared that  the stash contained emergency services data, access to city cameras and more.

Mayor Andrew Ginther said in August that officials were deeply concerned about the potential for police data and other sensitive information becoming public. 

They noted the particular danger facing people who may have information in files stolen from the prosecutor’s database. City Attorney Zach Klein said that while some of the information leaked is publicly available, he acknowledged that there are “probably people that are out there that are maybe trying to escape an abuser, that are trying to escape a situation that could be violent for them.” 

“While you may need a certain level of expertise to access information on the dark web — it’s not something you can easily Google — the fact of the matter is that criminals out there may have access to it with their own sophistication,” he said. 

Several police officers have since filed lawsuits against the city for their handling of the attack, with several claiming their bank accounts and email accounts have been accessed.  

Columbus Department of Technology Director Sam Orth told the city council last week that months after the incident, there are still some systems that have not been restored since the ransomware attack. A report on the incident scheduled for the end of October was pushed back to December. 

The city said that it is working with law enforcement to “bring those behind this Incident to justice” while the investigation continues. Victims will be given two years of identity protection services.