Ransomware has long plagued American municipalities, and the attack that hit the city of Columbus, Ohio, in July this year seemed like a classic ransomware attack. But the city’s response to the hack was inadequate, leaving cybersecurity and legal experts across the country questioning its motives.
Connor Goodwolf (whose real name is David Leroy Ross) is an IT consultant who investigates the dark web as part of his job: “I track dark web crime, criminal gangs, and cases like the arrest of the CEO of Telegram,” Goodwolf says.
So when word got out that his hometown of Columbus had been broken into, Goodwolf did what he always does: he started researching online. It didn’t take long for him to figure out what the hackers had gotten their hands on.
“It wasn’t the largest, but it was one of the most impactful breaches I’ve seen,” Goodwolf said.
Goodwolf explained that in some ways this was a routine break-in, exposing personally identifiable information, protected health information, Social Security numbers and driver’s license photos. But it was more extensive than other attacks because multiple databases were compromised. Goodwolf said the hackers broke into multiple city, police and prosecutor’s office databases, including arrest records and sensitive information on minors and victims of domestic violence. Some of the compromised databases date back to 1999, Goodwolf said.
Goodwolf found more than three terabytes of data that took more than eight hours to download.
“The first thing I saw was the prosecutor’s database and I thought, ‘Oh my God,’ these are domestic violence victims. When it comes to domestic violence victims, we need to protect them the most because they’ve already been victimized once and now they’re being victimized again because their information has been exposed,” he said.
Goodwolf’s first action was to contact the city to let them know how serious the breach was, because what he saw contradicted the official story. At a press conference on August 13, Columbus Mayor Andrew Ginther said, “The personal data that the threat actors published on the dark web has been encrypted or corrupted, making the vast majority of the data obtained by the threat actors unusable.”
But what Goodwolf found didn’t support that notion. “I tried multiple times to contact multiple city departments and was ignored,” Goodwolf said.
Google-owned Mandiant and many others Other Top Cybersecurity Companieshas been tracking a continued increase in both the prevalence and severity of ransomware attacks, as well as the rise of the Rhysida group, the group behind last year’s high-profile Columbus hack.
The Rishida Group claimed responsibility for the hack, and while little is known about the cyber group, Goodwolf and other security experts say they appear to be state-sponsored and based in Eastern Europe. Possible Russian connectionGoodwolf said the ransomware gangs are “professional operations” with staff, paid leave and spokespeople.
“They’ve stepped up their attacks and their targeting since last fall,” he said.
U.S. Government Cybersecurity and Infrastructure Security Agency A breaking news report was issued About Rishida last November.
When he got no response from anyone at city officials, Goodwolf said he went to local media to share the data with journalists in an attempt to raise public awareness of the seriousness of the breach, and then he heard back from the city of Columbus, with a lawsuit and a temporary injunction barring him from releasing any more information.
The city defended its response in a statement to CNBC.
“The City initially moved to obtain this order from the Court to prevent the disclosure of sensitive or confidential information that could threaten public safety and criminal investigations, including the identities of undercover police officers.”
The city’s 14-day temporary restraining order against Goodwolf has expired, and a preliminary injunction has now been issued and an agreement has been reached with Goodwolf not to release any more data.
“It should be noted that the court order does not prohibit the defendants from talking about the data breach or even describing what data was exposed,” the city’s statement added. “The order only prohibits individuals from disseminating the stolen data that they posted on the dark web. The city continues to work with federal authorities and cybersecurity experts to address this cyber intrusion.”
The mayor was forced to apologize at a later press conference, saying his initial comments were based on the information he had at the time: “It was the best information we had at the time. Obviously, it turned out to be inaccurate and I have to take responsibility for that.”
Realizing the toll on residents is greater than originally thought, the city has begun offering two years of free credit monitoring services through Experian, including to anyone who has had contact with the city of Columbus through arrest or other business. The city of Columbus is also working with the Legal Aid Society to identify what additional protections domestic violence victims may need if they feel they are at risk or need assistance with civil protective orders.
To date, the city has not paid the hackers’ $2 million ransom demand.
“He’s not Edward Snowden.”
People who study and work in cybersecurity law expressed surprise that Columbus would file a civil lawsuit against the researchers.
“Lawsuits against data security researchers are rare,” said Raymond Koo, a law professor at Case Western Reserve University. When they do occur, he said, it’s usually because the researchers allegedly revealed how a flaw has been or could be exploited, thereby enabling others to exploit it.
“He’s not Edward Snowden,” said Kyle Hanslovan, CEO of cybersecurity firm Huntress, who said he was concerned about Columbus’ response and how it would affect future leaks. Snowden was a government contractor who was criminally charged for leaking classified information but considered himself a whistleblower. Hanslovan said Goodwolf was a good Samaritan who independently discovered the leaked data.
“In this case, as far as I can see, they seem to have done the bare minimum to silence a supposed security researcher who confirmed that the official statement was not true. This is not a proper use of the courts,” Hansloban said, predicting that the case will be quickly overturned.
Columbus City Attorney Zach Klein He made the remarks at a press conference in September. He said the case “is not about free speech or whistleblowing. It is about the downloading and disclosure of stolen criminal investigative records.”
Hansloban worries about the ripple effect of cybersecurity consultants and researchers being put off doing their jobs for fear of lawsuits. “The bigger issue here is that new techniques are emerging to silence individuals in response to hacks,” he said. This is unwelcome. “Silencing an opinion, even for 14 days, is enough to prevent reliable facts from coming to light, and I’m scared of that,” Hansloban said. “Those voices need to be heard, and I’m worried that the bigger a cybersecurity incident gets, the more interested people will be in bringing it to light.”
Scott Dylan, founder of UK-based venture capital firm NexaTech Ventures, also believes Columbus’ actions could have a chilling effect on the cybersecurity sector.
“As the field of cyber law matures, this case is likely to be referenced in future discussions about the role of researchers following a data breach,” Dylan said.
He said the legal framework needs to evolve to address the increasing sophistication of cyber attacks and the ethical dilemmas they pose, and that the approach taken by Columbus was the wrong one.
For Goodwolf, meanwhile, the legal process continues. Though the city of Columbus and Goodwolf reached a disclosure agreement last week, the city is still suing Goodwolf in a civil lawsuit for damages that could amount to more than $25,000. Goodwolf is representing himself in negotiations with the city, but has said he has an attorney on standby if necessary.
Some residents have filed a class action lawsuit against the city. Goodwolf said 55% of the leaked information is for sale on the dark web, and the other 45% is available to anyone with the skills to access it.
Dylan believes the city is taking a big risk by creating the impression that it is trying to stifle debate rather than promote transparency, even if its actions are legally justifiable. “It’s a strategy that could backfire, both in terms of public trust and future litigation,” he said.
“I hope the city realizes the error of filing a civil lawsuit and the impact it has beyond just security,” Goodwolf said, noting that Intel, with significant federal backing, is building a multibillion-dollar semiconductor manufacturing facility outside Columbus. The city has positioned itself in recent years as a new tech hub in the Midwest’s “Silicon Heartland,” and attacking white hats and cybersecurity researchers could make some in the tech industry reconsider basing themselves in the city, Goodwolf said.
