A ransomware attack on the City of Columbus, Ohio, in July 2024 has exposed the personal information of approximately 500,000 residents, marking one of the most substantial cyber incidents involving a U.S. city.
The attack, attributed to the Rhysida ransomware group, has drawn attention due to both the extent of the data stolen and the controversial response from city officials.
As reported by BleepingComputer, The attack took place on July 18, 2024, and prompted Columbus officials to shut down several critical systems in an effort to contain the breach, resulting in service disruptions across the city.
Initially, city officials suggested that only corrupted, unusable data had been accessed. However, Rhysida claimed to have exfiltrated 6.5 terabytes of data, including sensitive personal information such as names, addresses, Social Security numbers, bank account details and driver's license information.
After failed ransom negotiations, the ransomware group released 3.1 terabytes of this data on the dark web. Columbus officials later confirmed that a significant amount of data had indeed been leaked, including details from law enforcement and city employee databases.
Rhysida, believed to be linked to Russian cybercriminal organizations, has become known for targeting public-sector entities worldwide.
Following its usual pattern, Rhysida initially sought a ransom, threatening to publish the data if demands were unmet. Once negotiations broke down, the group proceeded to leak portions of the stolen data on its dark web site, where it remains accessible to unauthorized parties.
Rhysida was first identified in May 2023, operates as a ransomware-as-a-service, or RaaS, organization, allowing affiliates to use its infrastructure and malware in exchange for a profit split on ransom payments.
Rhysida has targeted a range of sectors globally, including education, manufacturing, government and healthcare, frequently leveraging vulnerabilities in remote services and exploiting compromised credentials for initial access.
The group is known for deploying ransomware that encrypts data and uses double extortion tactics, threatening to release sensitive information on its dark web leak site if ransom demands are not met.
The situation took a contentious turn when David Leroy Ross, a security researcher known as "Connor Goodwolf," publicly disclosed details about the dark web leak.
Ross informed the media that the stolen data included unencrypted and potentially damaging information, directly contradicting the city's earlier claims that the data was unusable.
Columbus officials responded by filing a lawsuit against Ross in early August, accusing him of unlawfully accessing and sharing the stolen information. The lawsuit seeks a restraining order to prevent Ross from further disseminating the leaked data, citing concerns about public alarm and privacy violations.
City Attorney Zach Klein stated that the legal action aimed to protect sensitive information, while critics argued that it might deter transparency regarding the incident.
Columbus has since notified the Maine Attorney General's Office and is offering affected residents two years of complimentary credit monitoring and identity protection services. The city has also announced plans to strengthen its cybersecurity infrastructure, though specific details remain under review.
As the breach affects about 55% of Columbus's population, officials have faced mounting pressure to enhance security practices and ensure more transparent communication regarding cybersecurity incidents in the future.