After downplaying the impact of a recent ransomware attack, the City of Columbus, Ohio, last week sued a researcher who disclosed the extent of the incident.
Columbus fell victim to ransomware on July 18 and disclosed the incident shortly after, saying it stopped the attack before file-encrypting malware was deployed on its systems.
On August 16, Columbus announced it was offering free credit monitoring services to all individuals who shared personal information with the city, after initially saying that only employees would receive the free service.
“Starting today, all Columbus residents and non-residents whose personal information was shared with the city or municipal court will be able to sign up for two years of free Experian monitoring, which includes $1 million of protection against fraud and identity theft,” the city announced.
The extended credit monitoring services were likely announced as a reaction to security researcher David Leroy Ross, also known as Connor Goodwolf, telling local media that the impact from the July ransomware attack was bigger than the city had claimed.
On August 8, after failing to extort the city and to auction 6.5 terabytes of data allegedly stolen from its systems, the Rhysida ransomware gang leaked on its Tor-based site 3.1 terabytes of information supposedly exfiltrated from Columbus’ systems.
During an August 13 press conference, Columbus Mayor Andrew Ginther explained the public release of the information by saying that the attackers had stolen corrupted and encrypted data.
Ross, however, immediately contacted local media to provide evidence that the stolen data was, in fact, intact and that it included names, Social Security numbers, and other types of sensitive data. A large amount of information pertained to police officers and crime victims.
According to the city’s complaint against Ross (PDF), the Rhysida ransomware group posted on the dark web data extracted from backup prosecutor and crime databases, which included information on cases dating back to at least 2015.
“This data would potentially include sensitive personal information of police officers, as well as the reports submitted by arresting and undercover officers involved in the apprehension of the persons charged criminally by the city prosecutor’s office,” the complaint reads.
The city accuses Ross of interacting with the ransomware gang to download the leaked stolen information and then spreading it at a local level, causing widespread concern.
Furthermore, Columbus claims that, although shared publicly, the information on Rhysida’s site is only accessible to individuals who “have the computer expertise and tools necessary to download data from the dark web”.
“The dark web-posted data is not readily available for public consumption. Defendant is making it so. […] The irreparable harm that could be done by the readily-accessible public disclosure of this information locally by Defendant is a real and ongoing threat,” the city claims.
According to the city, the researcher’s actions represent an invasion of privacy and are causing irreparable harm and damages.
Columbus was seeking a restraining order to prevent Ross from accessing the city’s stolen data leaked on the dark web. A Franklin County judge granted (PDF) ex parte the motion for a temporary restraining order last week.
The order bars Ross from disseminating data downloaded from Rhysida’s site, but does not prevent him from discussing the incident or the type of stolen data with the media, the city said.
Related: BlackByte Ransomware Gang Believed to Be More Active Than Leak Site Suggests
Related: 500k Impacted by Texas Dow Employees Credit Union Data Breach
Related: Laptop Maker Framework Says Customer Data Stolen in Third-Party Breach
Related: Darktrace Denies Getting Hacked After Ransomware Group Names Company on Leak Site
