Attack and Data Breach Details
The City of Columbus, Ohio, has notified 500,000 individuals about the theft of their personal and financial information during a ransomware cyberattack in July 2024.
On July 18, 2024, the city, with a population of over 905,000, was targeted by a ransomware attack that disrupted connectivity and services across public agencies. While initial reports claimed no systems had been encrypted, further investigations revealed sensitive information may have been stolen.
The Rhysida ransomware group claimed responsibility for the attack on the same day, stating it had exfiltrated 6.5 TB of data, including employee credentials, security camera recordings, server copies, and other confidential information. After failing to extort the city, the attackers began leaking data, releasing approximately 45% of the stolen information—about 3.1 TB—on their dark web portal.
Controversy Over the Integrity of Leaked Data
Columbus Mayor Andrew Ginther attempted to reassure the public by claiming the leaked data was “encrypted or corrupted.” However, security researcher David Leroy Ross, known as Connor Goodwolf, disputed this claim. He provided samples of the leaked data to media outlets, demonstrating that it included unencrypted personal information belonging to city employees, residents, and visitors.
In response, the City of Columbus filed a lawsuit against Goodwolf, arguing that his distribution of the stolen data was illegal and negligent. The city sought $25,000 in d
amages and an injunction to prevent him from further disseminating the leaked information. A Franklin County judge issued a temporary order barring Goodwolf from downloading and distributing the city’s stolen data.
Victim Notification and Preventative Measures
Despite initial assurances about the unusability of the data, breach notification letters sent in October confirmed that attackers had published personal and financial information of 500,000 individuals. The compromised data included:
- Full name
- Date of birth
- Address
- Bank account information
- Driver’s license number
- Social Security number
- Other identifying details related to interactions with the city
While no evidence has yet emerged of fraudulent use of this information, the City of Columbus has advised affected individuals to monitor their credit reports and financial accounts for any suspicious activity.
Protection Services Offered to Victims
To mitigate the impact of the incident, the city is providing 24 months of free credit monitoring and identity restoration services through Experian IdentityWorks.
Conclusion
This attack on the City of Columbus serves as a stark reminder of the growing ransomware threat to the public sector and the security challenges faced by local governments. Public and private organizations are urged to strengthen their cybersecurity measures and establish robust incident response protocols to minimize the impact of such attacks in the future.