The City of Columbus, Ohio, has notified 500,000 residents that their personal data may have been compromised in a ransomware attack that occurred in mid-July 2024.
Although officials initially claimed that only corrupted data had been taken, information from a security researcher has revealed that the data was indeed exfiltrated and posted on the dark web.
The July 18 attack led the city to take critical systems offline, disrupting multiple municipal services in an effort to contain the breach.
Rhysida Ransomware Group Claims Responsibility
The Rhysida ransomware group has claimed responsibility for the attack. This cybercriminal organization, believed to have ties to Russian threat actors, initially sought a ransom from Columbus, stating it had stolen 6.5 TB of data.
After failed negotiations with the city, Rhysida allegedly posted 3.1 TB of this data on its dark web leak site. This exposure has become one of the most significant public sector data breaches in recent history.
The compromised data reportedly includes:
-
Names and addresses
-
Dates of birth
-
Social Security numbers
-
Bank account details
-
Driver’s license information
Columbus Takes Legal Action Against Security Researcher
The situation escalated when Columbus filed a lawsuit against security researcher David Leroy Ross in early August.
Ross, known as “Connor Goodwolf,” informed local media that residents’ personal information had been uploaded to the dark web. This disclosure directly contradicted Columbus officials’ earlier assertions that only unusable, corrupted data had been stolen.
Following Ross’s revelations, cyber analysts reviewed samples of the stolen data, finding a significant volume of sensitive files, including databases, password logs, cloud management files, employee payroll records and even footage from city traffic cameras.
The city said it has since committed to enhancing its cybersecurity protocols to prevent similar attacks in the future.
With a population of 915,000, Columbus informed the Maine Attorney General’s Office that the breach could affect approximately 55% of its residents.
The city is providing two years of free credit monitoring and identity protection services for impacted residents. Facing mounting public pressure, Columbus officials are now under scrutiny to improve data protection and ensure transparent communication about the extent of the breach.