Columbus City Ransomware Attack Affects 500,000 People

In a massive data breach affecting Ohio's state capital, the City of Columbus confirmed that the personal information of 500,000 residents was stolen during a July ransomware attack. The attack, claimed by the Rhysida ransomware gang, exposed a wide array of sensitive data, including Social Security numbers, birth dates, addresses, and even bank account details.

The breach, which occurred on July 18 as per the notification filed with Maine’s attorney general, affected more than half of Columbus’s 900,000 residents. City officials initially claimed they had “thwarted” the attack by disconnecting their network from the internet.

The Rhysida gang has claimed to have stolen 6.5 terabytes of data, including “databases, internal logins and passwords of employees, and access to emergency service applications,” as noted in the report by TechCrunch.

After the city refused to pay Rhysida’s demand of 30 bitcoins (approximately $1.9 million at the time), the hackers began leaking the stolen data. Rhysida has posted 3.1 terabytes of “unsold” compromised data, including more than 260,000 files, to its dark web portal.

“My priority is to do everything we can to protect the residents of our city,” Columbus Mayor Andrew Ginther told the media. He also noted that the city had “extended two years of free Experian credit monitoring to all of our residents to help protect them from potential fraud or identity theft,” as quoted by The Register.

Following the leak, Columbus sought to prevent further dissemination of the data by suing cybersecurity researcher David Leroy Ross (known publicly as Connor Goodwolf), who had disclosed details of the breach and revealed that domestic violence victims’ information was among the compromised data. The lawsuit sought a restraining order against Ross, alleging that he had threatened to share Columbus’s stolen data with others.

Despite previous assurances from city officials that the leaked data was “corrupted or unusable,” Ross demonstrated that the data was accessible and intact, countering the city’s initial claims. A judge issued a temporary restraining order to prevent Ross from downloading or sharing further stolen data.

Columbus is not the only city facing the pressures of a public breach. A few months ago, the MOVEit breach exposed sensitive student information in New York City schools, emphasizing the need for improved cyber defenses in public systems nationwide.