Columbus says ransomware gang stole personal data of 500,000 Ohio residents

The City of Columbus, Ohio has disclosed a serious data breach involving the personal information of around 500,000 residents, which occurred during a ransomware attack in July. According to a filing with the state of Maine’s attorney general, a “foreign cyber threat actor” successfully infiltrated the city’s network, compromising sensitive information such as names, dates of birth, addresses, Social Security numbers, identification documents, and bank account details.

Columbus, the largest city in Ohio with a population nearing 900,000, acknowledged that while approximately half a million individuals were affected by the breach, the precise number of compromised records remains unconfirmed. This admission highlights the severity of the incident and the potential risk posed to residents’ privacy and security.

The ransomware attack took place on July 18, when Columbus officials claimed they were able to mitigate the damage by disconnecting the network from the internet. However, the situation escalated with claims from the ransomware group Rhysida, which is also responsible for the 2022 cyberattack on the British Library, affirming their involvement in the Columbus attack and stating they had stolen 6.5 terabytes of sensitive data.

The data reportedly includes not only personal information but also internal logins, employee passwords, and access to critical systems, such as emergency services applications and city surveillance cameras. In a clear attempt to capitalize on the situation, Rhysida demanded a ransom of 30 bitcoin, equivalent to about $1.9 million at the time, for the return of the stolen data.

Despite the mayor of Columbus, Andrew Ginther, asserting that the stolen data was likely “corrupted” and “unusable,” doubts arose the next day when cybersecurity expert David Leroy Ross (also known as Connor Goodwolf) discovered the personal information of numerous Columbus residents was being listed on dark web forums. This revelation contradicted the city’s assurances about the integrity of the compromised data.

In a further complication, the city of Columbus initiated legal action against Ross in September, alleging that he was threatening to disseminate the stolen data to parties who could easily access it. In response to this lawsuit, a judge granted a temporary restraining order against Ross, thereby restricting his access to the stolen material.

The situation has escalated as Rhysida posted a statement on its leak site, claiming to have uploaded 3.1 terabytes of “unsold” data, which includes more than 250,000 files stolen from Columbus. This development raises concerns regarding the security of the sensitive information and indicates that the breach may lead to further repercussions for both the city and its residents.

Overall, the Columbus data breach underscores the growing threat posed by ransomware attacks, as well as the significant impact such incidents can have on municipal operations and public trust. The legal and reputational ramifications for the city remain to be seen, as officials work to address the fallout from this serious cyber incident.