It’s been one year since a ransomware attack breached the city of Columbus’ cyber defenses leaking hundreds of thousands of people’s personal information to the dark web, but there’s little sign of internal accountability.
A listener asked WOSU’s Curious Cbus several questions about the cyber attack. Authorities from the city all the way up to the FBI are still investigating the attack.
Since the attack some questions have been answered, but other details have yet to be confirmed by the city. The full report detailing the attack that Ginther and other city officials have talked about releasing hasn’t been published yet.
What happened with the city’s cyber breach? Is the full extent of the breach known?
Soon after the city first noticed something was wrong on July, 18, 2024, it shut down all its systems to thwart the attack. This shut down the city’s system for months, leaving some systems not fully operational until this year.
That attempt to thwart the attack ultimately failed to keep overseas cyber criminal group Rhysida from downloading and later releasing terabytes of personal information on the dark web from at least half a million people. The city says it did prevent Rhysida from encrypting the city’s systems so Rhysida could hold it hostage.
At first, the hacker group asked for a ransom and bid the data on the dark web for $2 million in bitcoin. But later, Rhysida dumped the data, including social security numbers, drivers licenses, addresses and more. The names and information of crime victims and even undercover police officers was found online.
This impacted city residents, employees and even visitors to the city who have interacted with its systems.
Columbus resident Will Klatt said his data was leaked online one year ago. Klatt started getting calls from credit unions and banks in February saying he had applied for new credit cards.
He didn’t.
To date, Klatt said his credit score has been downgraded from a perfect score due to the credit inquiries caused by the credit card applications.
Klatt connected all of this to the July 2024 Columbus data leak because whoever applied for these cards had his driver’s license. Klatt has attended city council meetings in the past where they routinely scan your license before you enter City Hall.
“That wouldn’t have been possible outside of that context. And there’s no way to prove it. By all accounts, I can’t think of another way that they would have that information,” Klatt said.
Klatt is just one example of someone affected by the attack. Klatt has a bone to pick with the city and he isn’t the only one.
Two class action lawsuits have been filed to represent law enforcement impacted by the attack, who say they were threatened by people who got ahold of their data. Another lawsuit plans to represent citizens who were impacted.
The city did offer free credit monitoring through Experian after the attack, which more than 15,000 people have taken advantage of at a cost of $1.6 million.
Klatt sent out a press release in June calling for accountability, taking aim at Columbus Mayor Andrew Ginther and Columbus City Attorney Zach Klein.
“It feels incredibly hurtful that a city government that’s already unresponsive to the citizenship, that when you go to city government, that they can’t protect you,” Klatt said.
The same week Klatt sent this, posters appeared around Columbus’ Clintonville neighborhood criticizing Klein for trying to silence the whistleblower who revealed data had leaked to the dark web last year.
Klatt denies posting these, but he said he agrees with its sentiment.
Klein’s office said in a statement that taking criticism is part of the job of an elected official.
“City Attorney Klein stands by his decision to protect sensitive, non-public information regarding active criminal investigations while also respecting the right to free speech,” spokesman Pete Shipley said in a statement.
Do we know what ever happened to the cyber researcher who called the mayor out on false statements, and was subsequently sued and gagged by Zach Klein?
That whistleblower was Connor Goodwolf, whose legal name is David Ross. He’s the cybersecurity expert who ultimately informed the public Rhysida had dumped all that data online for anyone to download and use.
At first, the city claimed it thwarted the cyber attack. Ginther called a press conference to claim no usable data was leaked. The very next day, Goodwolf proved that was false by talking to Columbus news station NBC4 and later other news outlets, including WOSU.
After days of exposing what was on the dark web to reporters, Klein got a judge to silence Goodwolf. City officials also claimed multiple times that only “criminals” use the dark web.
Goodwolf and the city later came to an agreement for Goodwolf not to divulge any of the information he found online.
Goodwolf said it is clear the city was not only not sorely unprepared to deal with a cyber attack, but it also failed on multiple levels.
“They weren’t following any of their own data retention policies. They weren’t following the federal guidelines for protecting specifics like taxpayer information (and other personally identifiable information). They weren’t…they didn’t have the safeguards in place.”
Goodwolf pointed to multiple city officials, including Department of Technology Director Sam Orth making claims that only criminals use the dark web. Goodwolf pointed out that the dark web, through Tor, is used by people who want to protect their privacy. He admits a lot of criminal activity does take place on there.
“If (Orth) truly does not know what Tor is, what is he doing as a director of technology,” Goodwolf said.
Goodwolf said he is now keeping busy on multiple projects, including cybersecurity, software engineering and other things. One project he is working on is creating a report on the cyber attack and a website tool that could allow people to search their name to check what personal information was leaked to the dark web.
Goodwolf said he doesn’t intend to release that tool until after the city releases its full report on the cyber attack.
Was anyone ever held accountable for the cybersecurity practices that led to the breach?
The FBI says it is still investigating the cyber attack and declined to comment further. Klein’s office also did not give many additional details, but said in a statement the city attorney is cooperating with the outside counsel on the investigation.
We still don’t know how exactly the city’s systems were breached. The city hasn’t said what caused it, but Goodwolf pointed out screenshots posted by Rhysida on its website of the SQL manager showing it was a technology employee for 911.
WOSU also requested public records from the city to learn more. Eight people have either been fired, retired or resigned from the Department of Technology since the attack. None of their personnel files indicate the terminations were related to the cyber attack.
Ginther told WOSU at a press conference in June he wants to wait to have all the information first before the city considers accountability. He also downplayed the cyber attack, pointing out that many other cities and large corporations get hacked every year.
“We are not unique or isolated. I think this is something that we’re gonna face and I think unfortunately we’re gonna see a lot more of,” Ginther said.
Klatt said he wants Ginther and Klein to face accountability.
“Mayor Ginther lied to the public based on information that is now known and has been widely reported as to the severity and the impact on average citizens. I happen to be one of the unlucky folks who was impacted by it,” Klatt said. “Zach Klein…could have approached this issue by going after the perpetrators that are harming Columbus citizens by stealing their identities and instead chose to spend his time going after the whistleblower.”
Unlike Klatt, Goodwolf doesn’t blame Ginther for giving out the false information. Goodwolf suggested he doesn’t think the mayor was given correct information by his subordinates.
Goodwolf said he wants Orth, the Department of Technology director, held accountable.
“I would want Orth to rather step down or show that he actually is dedicated to protecting the data and the citizens of Columbus and those who visit our city,” Goodwolf said.
Orth did not respond to a request for comment for this story.
Do we know of any measures put in place to prevent it from happening again? Do we know how much money the attack cost the city?
To date, the city has spent more than $30 million to improve security, pay for free-credit monitoring for people impacted, address the attack and add more staff to the Department of Technology. That could grow should the two class action lawsuits filed against the city by law enforcement and regular citizens find success in court.
A large chunk of that price tag was approved Monday by Columbus City Council. The city will pay $23 million to install a “Zero Trust Network.” This type of protection will both strengthen user authentication for city systems and segment its departments.
This could potentially limit a cyber attack’s reach to the department where the breach occurred.
Goodwolf said the Zero Trust Network the city is adding could help mitigate the damage any future cyber attack could deal, but it wouldn’t have helped with this attack. He said Columbus learned from this hack what could happen if proper protections aren’t in place.
Goodwolf said adding a zero trust network is the bare minimum the city is doing. He said he’s been running that type of system since the early 2000s.
“The city is gaslighting people into a false sense of security,” Goodwolf said.
Goodwolf said the city also needs to hire better talent. He said the hack exposed the technology department and Orth’s inability to respond quickly and report accurate information to the mayor.
“This goes down straight to complete and utter ignorance, and on the level that it should be criminal if it’s not already,” Goodwolf said.
Goodwolf also suggested the city should hire outside audits to run checks on the city’s systems to try and check for vulnerabilities and breaches.
This story was part of WOSU’s Curious Cbus series. Submit your question below.
