City of Columbus acknowledges data theft after lawsuit against security researcher
The City of Columbus, Ohio, has confessed that the details of over 500,000 individuals were stolen in a cyberattack, but only after filing a lawsuit against a security researcher who disclosed that the data had been stolen.
The strange story starts in July when the city was targeted in a ransomware attack. The city claimed at the time that no systems had been encrypted and that they were investigating the possibility that sensitive data may have been stolen.
According to Bleeping Computer, while the city's systems were not encrypted, the Rhysida ransomware gang claimed responsibility for the attack the same day it was disclosed and alleged to have stolen 6.4 TB of data, including employee credentials, city video camera feeds, server dumps and other sensitive information. With the city not paying up, the ransomware gang then published 45% of the stolen data, compromising some 260,000 documents, on its dark web leaks site.
You would think at this point that the reaction would be one of disclosure, given the data was published and not hard to find, but instead, Columbus Mayor Andrew Ginther told local media that the leaked data was "encrypted or corrupted" and hence there was no need for concern.
Enter security researcher David Leroy Ross - known online as Connor Goodwolf - who not only disputed the claim by the Mayor but also shared examples of the leaked data with media outlets to show that they included unencrypted information.
In response, the city filed a lawsuit against Ross, claiming that he was spreading stolen data and that doing so was illegal and negligent. The city sought damages of $25,000, a temporary restraining order and a permanent injunction against further dissemination of the leaked data.
Now it emerges that the city disclosed to 500,000 individuals in early October that attackers had indeed stolen personal information, the same information Ross was warning about. The case against Ross was also dropped last week, but only after he agreed to a permanent injunction that only allows him to share parts of the stolen data with approval from the city.
"It's good to see the City of Columbus dropping the case, partly in response to outcry from the security community back in July," Casey Ellis, founder and advisor at crowdsourced cybersecurity platform company Bugcrowd Inc., told SiliconANGLE via email. "This is another example of shooting the messenger and the potential for this suit to have a chilling effect on others who'd do likewise in the interest of the public is something governments, agencies and companies should be working hard to avoid.
John Bambenek, president of cybersecurity consulting form Bambenek Consulting Ltd., was harsher, noting that "you would think political officials would know the old saying 'It's not the crime; it's the cover-up.'"
"People are numb to the news of breaches and all of us have at least a dozen letters offering free credit monitoring," Bambenek added. "Frankly, the city engaged in next-gen stupidity to get back to where they should have been this summer."