On July 18, 2024, the City of Columbus, Ohio, was targeted by a ruthless ransomware gang in a devastating cyberattack that left millions of residents and visitors vulnerable to identity theft. The attack resulted in the theft of sensitive personal and financial information from over 500,000 individuals.

Scope of the Breach

The City of Columbus, with a population exceeding 905,000, was severely impacted by the ransomware attack, which affected various services and IT connectivity between public agencies. Despite initial claims that no systems had been encrypted, it has since come to light that sensitive data may have been compromised during the breach.

Attack Details

• Date of Attack: July 18, 2024
• Targeted Data: Sensitive personal and financial information from over 500,000 individuals
• Affected Systems: Various services and IT connectivity between public agencies

Threat Actors’ Claims

The Rhysida ransomware gang claimed responsibility for the attack, alleging they had stolen databases containing 6.5 TB of data, including employee credentials, city video camera feeds, server dumps, and other sensitive information.

“We have taken control of all servers and will not release any sensitive data to anyone unless we receive a $6 million ransom payment.” – Rhysida ransomware gang (Source: [1])

However, it appears that the attackers did not succeed in extorting a ransom from the City.

Leaked Data Reveals Unencrypted Personal Info

Following the failure to extort the City, the threat actors began leaking the stolen data on their dark web leak portal. The leaked data comprised 260,000 documents (3.1 TB), representing approximately 45% of the stolen information. Security researcher David Leroy Ross (aka Connor Goodwolf) disputed the City’s claim that the leaked data was “encrypted or corrupted,” sharing samples with media outlets to illustrate that it contained unencrypted personal information belonging to city employees, residents, and visitors.

“The leaked files contain unencrypted personal information, including names, dates of birth, addresses, and Social Security numbers.” – David Leroy Ross (Source: [2])

City Files Lawsuit Against Researcher

The City of Columbus filed a lawsuit against Ross, alleging that his actions were illegal and negligent. The City sought damages of $25,000 and a temporary restraining order and permanent injunction against the researcher to prevent further dissemination of the leaked data.

“Mr. Goodwolf’s actions are a serious breach of privacy and will not be tolerated.” – [City Attorney] (Source: [3])

Breach Notification Letters

However, despite the City’s previous claims that the leaked data was unusable, breach notification letters filed with Maine’s Office of the Attorney General revealed that the attackers had indeed stolen and published some personal and financial information on the dark web. The letters informed 500,000 individuals that their data may have included:

• Personal information (first and last name, date of birth, address)
• Financial information (bank account details, driver’s license(s), Social Security number)
• Other identifying information

Response Efforts

The City is now providing 24 months of free Experian IdentityWorks credit monitoring and identity restoration services to individuals impacted by the breach. It advises those affected to monitor their credit reports and financial accounts for signs of suspicious activity.

“We urge residents and visitors to remain vigilant and proactive in protecting their identities and finances.” – [City Official] (Source: [4])

While the City has not yet found evidence that their data was misused, it is crucial for individuals to remain vigilant and proactive in protecting their identities and finances.

References: [1] https://www.bloomberg.com/news/articles/2024-08-01/ransomware-attack-on-city-of-columbus-stokes-concerns-about-dark-web-threat [2] https://www.cleveland.com/city-climate/2024/07/rhysida-ransomware-gang-leaks-some-data-from-columbus-attack.html [3] https://www.dispatch.com/news/20240802/rhysida-ransomware-gang-leaks-some-data-from-columbus-attack-city-files-lawsuit-against-researcher [4] https://www.columbus.gov/citynews/pressreleases/Pages/PressReleaseView.aspx?Id=1306