The City of Columbus, Ohio, confirmed Nov. 1 that 500,000 people were affected by a July 18 ransomware attack that was claimed by the Rhysida gang.
In a filing with Maine’s attorney general, the city said the personal information that may have been stolen included first and last names, dates of birth, addresses, bank account information, driver’s licenses, and Social Security numbers.
The city was quick to say that it was unaware of any actual or attempted misuse of the personal information for identity theft or fraud as a result of the incident.
The filing stands as an interesting twist in the widely reported case. In August, the city sued security researcher David Leroy Ross Jr. — who also goes by Connor Goodwolf — originally claiming that Ross risked “irreparable harm” to the city and its residents via the exposure of sensitive stolen data.
The city, which ultimately dropped the lawsuit against Ross last week, had alleged that Ross downloaded city data from the dark web after it was leaked by the Rhysida ransomware gang and threatened to share the city’s stolen data with third parties.
“The city dropping the lawsuit was the right thing to do,” said John Gunn, chief executive officer of Token. “It was viewed by most in the cybersecurity community as vindictive and without merit. They attacked a Good Samaritan who was serving the public by exposing misrepresentations so that people could protect themselves. What could have compounded the issue further is the fact that judges who hear these types of cases are often technophobes with limited ability to judge the merits of a case like this.”
Stephen Kowski, Field CTO at SlashNext Email Security, had a different take on the Columbus, Ohio, case. Kowski said the city's lawsuit wasn't primarily about the city denying the breach; rather it was about preventing premature disclosure of sensitive details while investigations were ongoing.
Based on public statements, Kowski said Ross had expressed clear intentions to share additional information that could have exposed the personal details of individuals more transparently and easily — including details of minors — before subsequent investigations and protection measures could be completed, especially regarding the assertions the researcher was making legitimately.
“The situation highlights the delicate balance between transparency and responsible disclosure,” said Kowski. “While immediate acknowledgment of breaches is crucial, organizations also have an obligation to protect sensitive data, especially concerning minors, during active investigations. The [judge’s] injunction served its intended purpose by allowing for a complete investigation without risking additional exposure of sensitive information. The key takeaway isn't simply about ‘coming clean,’ but about managing incident response in a way that protects all stakeholders.”
