A ransomware attack on Columbus, Ohio, has drawn international attention and condemnation for how city leaders mismanaged their response to the incident.
First, the mayor’s office erroneously downplayed the nature and impact of what it initially called a system “abnormality.” Then, the city obtained a gag order on a local cybersecurity expert who proved the attackers were ransomware threat actors who stole vast amounts of sensitive personal data on city employees and vulnerable residents.
The episode has left the 34th largest city in the US with a black eye and facing class-action lawsuits. Columbus has also earned the scorn of First Amendment experts who claim the city’s efforts to suppress the whistleblower’s information violate the US Constitution’s right to free speech.
Moreover, cybersecurity experts have decried the city’s efforts to muzzle one of their own. Scores of infosec professionals have staunchly defended the whistleblower, without whom, they say, misguided citizens might still believe their personal information is safe. Nonetheless, the whistleblower still faces a civil lawsuit that could cost him at least $25,000, an outcome he believes would benefit no one.
Timeline of events around the Columbus ransomware attack
The following timeline of events surrounding the attack clarifies how quickly the city’s response to the incident devolved into a series of errors that left leaders with few face-saving options.
July 18: Cybercriminal gang Rhysida attacked the City of Columbus with ransomware. Four days later, Columbus Mayor Andrew Ginther’s office released a statement saying the city’s technology department “found evidence of an abnormality in its system on July 18,” prompting the city to take its systems offline.
July 31: Two officers with the Columbus Division of Police came forward saying their bank accounts were hacked, and the city began offering free credit monitoring to its employees the next day. (The police officers subsequently filed a class-action lawsuit against the city).
Aug. 1: Rhysida demanded nearly $2 million ransom in Bitcoin for the 6.5 terabytes of data it claimed it stole from the city of Columbus and posted sample data on its leak site to back up its claims.
Aug. 7: Rhysida announced it had published about 45% of the data and threatened to release more if the city didn’t pay the ransom by the following morning. Meanwhile, the mayor’s office said there is no evidence that data has been published and claimed the city never received a ransom demand.
Aug. 13: In a fact sheet shared with the press and during a press conference, Mayor Ginther claimed the stolen data backups published by Rhysida were encrypted or corrupted and thus not readable.
At that point, a local cybersecurity expert who goes by the name Connor Goodwolf, but whose legal name is David Leroy Ross Jr., contradicted the mayor, claiming that the data in Rhysida’s dump exposed easily readable data on a significant portion of Columbus residents. Those exposed included anyone who swiped their driver’s license at city hall in the past ten years, he said, as well as anyone who has dealt with the Columbus City Attorney’s Prosecuting Office in any way, including victims, suspects, or those subpoenaed by the court or law enforcement.
Aug. 16: The city expanded free credit monitoring to all residents impacted by the cyberattack.
Aug. 17: Ginther confirmed that “personally identifiable information” was leaked on the dark web, including information on criminals, victims of crime, and witnesses from the city prosecutor’s office. Ginther said more PII may have been accessed and could be published on the dark web.
Aug. 19: Goodwolf informed the press that Rhysida had hacked a second database that included thousands of incident reports from the Columbus Division of Fire and information from people who visited any of the four city buildings since 2006.
Aug. 20: A second class-action lawsuit was filed against the city, representing city police and firefighters.
Aug. 28: Goodwolf told the press that information from the Columbus police crime MATRIX database was available on the dark web. This database represents witness, victim, and suspect information from any police report in the past ten years, as well as the names and details of undercover officers.
The city filed a civil lawsuit against Goodwolf, accusing him of illegally downloading and disseminating data stolen from the city’s IT network and leaked by the Rhysida ransomware gang. What bothered the city the most is that Goodwolf shared some of the stolen data he retrieved from Rhysida’s website with the media. According to the complaint, the media “used the stolen data to go door-to-door and otherwise contact individuals whose names were” in the stolen data. The city argued that only experts with advanced skills can navigate and interact with cybercriminals on the dark web, which Goodwolf and cybersecurity experts have vehemently denied.
Moreover, in its complaint, the city said Goodwolf is “threatening publicly to disclose and disseminate the City’s stolen data to the local community in the form of a website he will create.” The city wants Goodwolf to pay damages greater than $25,000, an amount to be determined by jury trial, due to what it calls the “irreparable harm” and “widespread concern throughout the Central Ohio region” caused by Goodwolf’s disclosure of the data to the media.
The city also successfully requested a temporary restraining order (TRO) to bar Goodwolf from accessing, downloading, or disseminating the stolen data.
Sept. 9: During the first briefing the Columbus City Council members received on the ransomware incident, the city’s technology officer, Sam Orth, said that at that point, 23% of the city’s computer systems were still down, while another 7% had been only partially restored. He admitted the criminals stole PII related to hundreds of thousands of people, including city residents and employees, too many, he said, to notify individually. After briefing the Council, Orth fled the room through an emergency-only balcony exit to avoid the media.
Sept. 11: The city reached an agreement on a preliminary injunction with Goodwolf, replacing the earlier restraining order. Under this injunction, Goodwolf is prohibited from sharing stolen city data with any party, aside from the city itself, including personal information such as Social Security numbers, driver’s license numbers, bank account information, credit card numbers, and other sensitive materials. He was also forbidden from disseminating any city data from the city’s MATRIX prosecutor and MATRIX Crime databases until the final resolution of his case.
Goodwolf: ‘All this could have been prevented’
Goodwolf says he was caught off guard by the city’s lawsuit. “At no time did they even attempt to reach out before filing a lawsuit in the TRO,” he tells CSO.
“The tipping point was my going to the news media regarding the contents of the crime database, even though the prosecutor’s database was the first database I shared with the media, which had names of domestic violence victims and crimes involving minors,” he adds. “The line was crossed with the crime database, which contained names of officers, even though, again, crimes regarding victims were already in the prosecutor’s database. I don’t know where the outrage came from in the city because I had been talking about the breach starting on the 13th through the 29th when the TRO was filed.”
City Attorney Zach Klein confirmed that the crime database files Goodwolf shared with the media triggered the lawsuit. He accused Goodwolf of going “to the next level” by reporting that a Columbus police database was exposed. Klein said, “Who else is he disclosing that information to? Friends? Family? This is personal, confidential information. This is investigatory records. And in order to protect victims, in order to protect witnesses, in order to protect our fine men and women of the Division of Police, we filed this TRO.”
Goodwolf says that he shared the stolen files with the media solely so they could conduct due diligence to confirm the validity of the data. He took steps to protect the data by asking reporters to agree not to report any information they received. “All this could have been prevented because if I had the means to contact someone there who wasn’t just a lower-ranking worker, then I wouldn’t have had to go to the media,” he says.
Goodwolf says he repeatedly tried to tell the city about the breach but met with silence. “I even sent screenshots of my call logs to all the local reporters,” he says. “I was like, dude, I tried. They [the reporters] even requested voicemail” as proof of his attempt to inform the city. (Klein said he was never made aware by his office employees that Goodwolf tried to contact him.)
What motivated Goodwolf most to reach out to the media was “the freaking fact sheet” the mayor issued, which was “just full of lies,” he says, particularly Ginther’s contention that the stolen data was encrypted or corrupted. After Goodwolf disproved this assertion with actual data, representatives from Dinsmore, the law firm the city brought in to help handle the breach fallout, asked him how he achieved what they could not.
Goodwolf says, “Some of [Dinsmore people] said, ‘I tried downloading the data, and it was corrupted. What am I doing wrong?’ I’m like, oh, shit. Now I understand. When I download files from the dark web, I use the command line. I’m not necessarily using the Tor browser when downloading big payloads. Anything over a hundred to 200 gigs has a risk of stopping and restarting it.”
The Columbus mayor’s office tells CSO that “Dinsmore is a nationally renowned firm that has worked on thousands of cybersecurity attacks, including high-profile cases. Since August 13, we have brought on additional resources to support our investigation. The findings of our investigation will be disclosed via an official report in October.”
It’s worth noting that the mayor’s office also confirmed that the city lacked cybersecurity insurance during the Rhysida attack. Cyber insurance policies typically require policyholders to contact the underwriter first after learning of an incident, whereupon the insurer will bring in a team of experts to conduct the investigation and incident response.
Experts: ‘The city of Columbus looks really dumb right now’
Goodwolf has been hailed as a whistleblowing hero by top practitioners in the infosec community. On Sept. 10, dozens of the world’s top cybersecurity professionals signed a letter to City Attorney Klein saying his lawsuit, which “seeks to penalize Mr. Goodwolf for allegedly disseminating data stolen by the Rhysida ransomware group, is misguided and counterproductive.”
They further point out that the “actual criminals in this case are a ransomware gang who call themselves Rhysida” and urged the city to “refocus its efforts on mitigating these risks, informing citizens about the true nature of the breach, and taking proactive steps to enhance the city’s information security posture.”
Even local law enforcement seems to be on Goodwolf’s side. “The community at large has been extremely supportive to the point where I’ve even had former police officers approach and tell me, if I do get fined, they’ll throw $5,000 in the pot and pay the city,” Goodwolf says.
“The city of Columbus looks really dumb right now,” Michael Hamilton, founder and CISO at Critical Insight and former CISO of Seattle, tells CSO. “It looks like they were trying to evade any transparency here. And that always makes it worse. I think part of the implication here is that they can treat him as a bad guy, and the perception they create might lessen the pressure on them. But slapping the guy with a restraining order just makes the city look worse.”
“I think this was a very ham-fisted, clumsy approach,” Richard Forno, assistant director of the Cybersecurity Institute at the University of Maryland, Baltimore County, tells CSO. “They just stepped on both feet and tripped over themselves and took an incident that was bad enough and added this level of bad optics to it that got a lot of bad publicity and made the situation even worse.”
Attorneys: Gagging Goodwolf violates the First Amendment
In announcing the city’s lawsuit and gag order against Goodwolf, City Attorney Klein said the legal actions were “not about free speech, but rather about stopping him from accessing the stolen data.”
However, Aaron Mackey, free speech and transparency litigation director at the Electronic Frontier Foundation, told local press outlets that the lawsuit “clearly violates [Goodwolf’s] First Amendment rights to make sure that the public understands and is informed on this very significant privacy breach that is the result of what sounds like the city’s own inaction or inability to properly secure its data. Rather than thank this individual for coming forward and actually explaining to the public that this is a significant problem, the city has resulted to basically violating his First Amendment rights and claiming that what he’s done is some sort of illegal act.”
One of the nation’s leading First Amendment experts, Bob Corn-Revere, now chief counsel for the Foundation for Individual Rights and Expression, agrees with Mackey, calling the initial gag order a classic case of prior restraint, which courts always disfavor. “This gag order is all-encompassing,” he tells CSO. “It prohibits accessing, disclosing, and possessing anything involving this data breach. And it seems like that’s an awfully broad restriction for someone who’s simply trying to report on a matter that the city appears not to want to publicize.”
The city attorney’s office responded to this criticism by pointing to the second agreement, the preliminary injunction, that Connor signed. “Mr. Goodwolf and the City signed an agreement on a preliminary injunction last week that protects sensitive data exposed in the cyber intrusion from being disseminated publicly while also allowing him to maintain a dialogue with the City regarding the breach. Like the temporary restraining order formerly in place, this new agreement has zero impact on Goodwolf’s ability to discuss the extent of the cyber intrusion or even describe what kinds of data were exposed, including to members of the media.”
However, while Corn-Revere thinks the preliminary injunction is better, he believes it still raises serious First Amendment issues. “This is certainly better than the blanket prior restraint that existed before,” he says. “It makes an attempt to be more narrowly tailored. But it is still troubling that it gives the city prior review and veto power over anything he wants to report publicly.”
What’s next for Goodwolf?
Despite what he has been through, Goodwolf is optimistic the city will drop its lawsuit. He has an attorney on standby, and EFF is waiting in the wings to help if need be.
“Usually, when it comes to civil cases, they get settled before they go to trial,” he says. “It’s more than likely, best guess here, that the city will drop the case.”
He intends to move forward with the website that the city objected to, a searchable database akin to Troy Hunt’s HaveIBeenPwned. This database will allow Columbus residents to determine whether their data was implicated in the breach and what information was exposed. However, this database would only encompass 45% of the total data that Rhysida couldn’t sell and dumped on the web.
“Now, if the city wants to add to that data pile, if they know a certain database was also exfiltrated, that would be even more powerful,” he says. “I’ll add that. I want to get everyone in a room and talk them through everything. They’re not all tech-savvy, so I’ll have to be diplomatic and make sure I walk people through and explain everything.”
No Responses