Rhysida gang leaks 3.1TB of data from Columbus cyberattack

November 5, 2024
Columbus Ohio US Cyberattack Rhysida Ransomware

A ransomware attack in July led to the theft of 500,000 people’s financial and personal information, according to the City of Columbus, Ohio. The ransomware attack incident, which occurred on July 18, 2024, in the capital city of Ohio, disrupted services throughout the city and impacted IT connections across several public institutions.

The Rhysida ransomware gang took credit for the attack, asserting that they had stolen 6.5TB of sensitive data. Their claim included employee credentials, video camera feeds, server dumps, and other confidential information held by the city. Columbus officials initially assured the public that no systems had been encrypted but left open the possibility that data could have been compromised as investigations were ongoing.

 

The City of Columbus sued researcher David Leroy Ross after he revealed unencrypted data from its July breach, disputing claims it was unusable.

 

Following unsuccessful attempts to extort the city, the Rhysida gang released 45% of the stolen data—estimated at 3.1 TB and comprising 260,000 documents—on their dark web leak portal. In response, Columbus Mayor Andrew Ginther told the media that the data release should not be a public concern, asserting that the information was “encrypted or corrupted” and thus unlikely to cause harm.

However, security researcher David Leroy Ross, known as Connor Goodwolf, disputed these claims by providing media outlets with samples from the leaked data. Goodwolf’s findings suggested that the information was, in fact, unencrypted, containing sensitive personal data belonging to city employees, residents, and visitors.

Following Goodwolf’s revelations, the City of Columbus sued him, claiming that he had engaged in careless behaviour and spread stolen data. To stop the compromised data from being shared further, the City requested a permanent injunction, a temporary restraining order, and $25,000 in damages. The temporary restraining order, which prohibited Goodwolf from downloading or disseminating any more material from the data leak, was issued by a Franklin County judge.

Despite the initial claims that the data was unusable, Columbus officials notified 500,000 affected individuals in early October that some of their personal and financial information had been published on the dark web. The breach notification letters listed the compromised data, which included names, dates of birth, addresses, bank account details, driver’s licence numbers, Social Security numbers, and other identifiers.

The city has encouraged those affected by the incident to monitor their accounts and credit reports for any odd activity. To help those impacted, Columbus is also offering free 24-month credit monitoring and identity restoration services.

While the city maintains that there is no evidence of misuse at this time, the incident has raised questions about the extent of the data leak and its potential implications for residents. With investigations still underway, many are left uncertain about the possible future impacts of the breach on personal privacy and financial security.

About the author