The City of Columbus, Ohio, has filed a lawsuit against security researcher David Leroy Ross, aka Connor Goodwolf, accusing him of illegally downloading and disseminating data stolen from the City’s IT network and leaked by the Rhysida ransomware gang.
Columbus, the capital and most populous (2,140,000) city in Ohio, suffered a ransomware attack on July 18, 2024, which caused various service outages and unavailability of email and IT connectivity between public agencies.
At the end of July, the City’s administration announced that no systems had been encrypted, but they were looking into the possibility that sensitive data might have been stolen in the attack.
On the same day, Rhysida ransomware claimed responsibility for the attack, alleging they stole 6.5 TB of databases, including employee credentials, server dumps, city video camera feeds, and other sensitive information.
On August 8, after failing to extort the City, the threat actors published 45% of stolen data comprising 260,000 files (3.1 TB), exposing much of what they previously claimed to be holding.
According to the City’s complaint, the exposed dataset includes two backup databases containing large amounts of data gathered by the local prosecutors and police force, dating back to at least 2015, containing, among other things, the personal information of undercover officers.
On the day of the data leak on Rhysida’s extortion portal on the dark web, Columbus Mayor Andrew Ginther stated on local media that the disclosed information was neither valuable nor usable and that the attack had been successfully thwarted.
A few hours later, Goodwolf disputed the Mayor’s claim that no sensitive or valuable data was exposed by sharing information with the media about what the leaked dataset included.
In response to this, on August 12, Mayor Ginther claimed that the exposed data was “encrypted or corrupted,” so the leak is unusable and should be of no concern to the public.
However, Goodwolf disputed these claims, sharing samples of the data with the media to illustrate that it contained unencrypted personal data of people in Columbus.
“Among the details laid bare were names from domestic violence cases, and Social Security numbers for police officers and crime victims alike. The dump not only impacts city employees, but also revealed personal information for residents and visitors going back years,” reported NBC4.
Silencing the researcher
The lawsuit submitted by Columbus alleges that Goodwolf’s conduct of spreading stolen data was both negligent and illegal, resulting in great concern in the community.
Moreover, the City alleges that the leaked data isn’t accessible to anybody, as Goodwolf stated, as it was published on a platform of limited access, requiring knowledge to locate.
“Defendant’s actions of downloading from the dark web and spreading this stolen, sensitive information at a local level has resulted in widespread concern throughout the Central Ohio region,” reads the complaint.
“Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so.”
The complaint notes that Goodwolf’s sharing of law enforcement data and the alleged plans to create a website for people to see if their data was exposed interferes with police investigations.
The City seeks a temporary restraining order, preliminary injunction, and permanent injunction against Goodwolf to prevent further dissemination of stolen data. Additionally, the City is seeking damages exceeding $25,000.
A reported by NBC4, a Franklin County judge issued the temporary restraining order yesterday, barring Goodwolf from accessing, downloading, and disseminating the City’s stolen data. The order also requires the defendant to preserve all data that was downloaded to date.
In a press conference about the lawsuit, shown below, City Attorney Zach Klein says that the lawsuit is not about suppressing free speech, as Goodwolf can still talk about the leak, but is aimed at preventing him from downloading and disseminating the stolen information.
Update 8/30/24: Added temporary restraining order.