The City of Columbus, Ohio, has taken legal action against a security researcher who shared leaked data from a ransomware attack against the city with members of the news media.
A lawsuit filed last week alleges that the actions of software development consultant David Leroy Ross Jr., who also goes by Connor Goodwolf, risks “irreparable harm” to the city and its residents via the exposure of sensitive stolen data.
The city alleges Ross downloaded the data from the dark web, after it was leaked by the Rhysida ransomware gang and “is threatening to share the City’s stolen data with third parties who would otherwise have no readily available means by which to obtain the City’s stolen data,” according to the complaint filed by Westley M. Phillips, the city’s lead attorney for civil litigation.
On Thursday, a Franklin County judge approved a temporary restraining order filed by the City of Columbus against Ross, blocking him from “accessing, and/or downloading, and/or disseminating the City’s data that has been stolen as part of a massive cyber-attack of the City’s IT system.”
City backtracks on extent of data leak
Columbus was struck by the ransomware attack on July 18 and the Rhysida ransomware gang threatened to auction off 6.5 TB of the city’s data in early August. After failing to find a buyer, Rhysida ultimately published more than 3 TB of the data on Aug. 8.
Columbus Mayor Andrew Ginther previously stated that “it has not been validated that the data is usable or valuable” and later claimed that “sensitive files were either encrypted or corrupted,” according to Statescoop.
However, Ross, under the name Goodwolf, came forward saying he analyzed the data from the dark web himself and found names, addresses, birth dates, driver’s license numbers and Social Security numbers of more than 470,000 people among the leak, The Columbus Dispatch reported.
“That information was conveyed in good faith and based on what our team knew to be accurate at that time,” a city spokesperson told SC Media, regarding the mayor’s comments. “New information came to light, and we can now confirm that personally identifiable information was released to the dark web. This is a very complex and rapidly changing situation, and we are going to continue to learn more and be as transparent and forthcoming with verifiable information as possible.”
City officials have since disclosed that stolen databases may include sensitive personal information about city police officers, including undercover police officers, as well as sensitive data regarding both adult and child victims of crime.
Beginning Aug. 16, the city began offering two years of free Experian credit monitoring to all Columbus residents and any non-residents whose information has been shared with the city.
“I’m angry and concerned that the city and our residents are victims of this cyberattack. My priority is to do everything we can to protect the residents of our city,” Ginther said in a statement. “Our understanding of this situation has evolved by the hour, and as such, we will continue to report only what our cybersecurity experts and IT team are able to verify without undermining this active criminal investigation.”
City attorney defends legal action against researcher: “This is not about freedom of speech”
In a press conference Thursday, Columbus City Attorney Zach Klein defended the lawsuit and temporary restraining order filed against Ross, saying the action was taken to protect the safety and privacy of those affected by the ransomware attack.
“This is not about freedom of speech or whistleblowing. This is about downloading and disclosure of stolen criminal investigatory records,” Klein told reporters, noting the action does not prevent Ross from speaking to the media or criticizing the city if no further data is shared.
During the press conference, Klein mentioned an “escalation” in Ross' conduct when the researcher allegedly shared records pertaining to the identities of undercover police officers and victims of crime to members of the media, which Klein said ultimately triggered the legal action after weeks of prior media appearances by the researcher.
The lawsuit filed by the city also claims that Ross is “threatening publicly to disclose and disseminate the City’s stolen data” through a website he plans to create and accuses the researcher of “flagrant disregard for any increased risk of harm to which Defendant could be exposing the City,” including police officers, crime victims and criminal witnesses.
The city’s request for a restraining order references an interview Ross gave to WCMH in which he expressed interest in creating a website that would enable users to check whether their information was included in the leak. The City of Columbus and City Attorney did not respond to questions from SC Media asking whether there was further evidence Ross planned to disseminate the leaked data on the clear web beyond this look-up function.
Critics say city officials seek to silence whistleblower
The decision to take legal action against the researcher sparked backlash from some Columbus residents and online commentators online, who have accused the city of trying to silence Ross for exposing its poor handling of the cyberattack.
Amelia Robinson, opinion and community engagement editor at The Columbus Dispatch, called the move “ridiculous” and “alarming” in an opinion piece published Friday, noting that many victims of the attack were unaware of its extent prior to Ross coming forward.
“We did not and would not have known we needed anything to be protected from if not for Goodwolf telling the media about the dangers facing the public. Where Goodwolf has been detailed, the city has been vague and defensive,” Robinson wrote.
Electronic Frontier Foundation Free Speech and Transparency Litigation Director Aaron Mackey also expressed support for Ross, telling WCMH Friday that he believes the city’s lawsuit violates the First Amendment and undermines the public’s access to knowledge about data breaches.
A Change.org petition in support of Ross accuses Ginther of lying to the public and says Ross’ “brave whistleblower activities” exposed the truth about the attack.
“The reality is that anyone can download this data. Targeting a single whistleblower is nothing less than retaliatory, serves no functional purpose, and it’s an assault on the First Amendment that miserably backfired,” activist Matthew Berdyck wrote in the petition.