The Metropolis of Columbus, Ohio, notified 500,000 people {that a} ransomware gang stole their private and monetary data in a July 2024 cyberattack.
Ohio’s capital metropolis (with a inhabitants of over 905,000) was hit by the ransomware assault on July 18. The ensuing outages affected numerous companies and IT connectivity between public companies.
Metropolis officers introduced on the finish of July that no methods had been encrypted and revealed that the Metropolis’s administration was nonetheless investigating the likelihood that delicate knowledge had been stolen throughout the breach.
The Rhysida ransomware gang claimed the assault the identical day, alleging that they had stolen databases containing 6.5 TB of information, together with worker credentials, metropolis video digicam feeds, server dumps, and different delicate data.
After failing to extort the Metropolis, the menace actors began leaking the stolen knowledge, publishing 45% of stolen knowledge comprising 260,000 paperwork (3.1 TB) on the gang’s darkish net leak portal.
Following this, Columbus Mayor Andrew Ginther advised native media that the leaked knowledge shouldn’t concern the general public as a result of it was “encrypted or corrupted.”
Nonetheless, safety researcher David Leroy Ross (aka Connor Goodwolf) disputed the Mayor’s declare, sharing samples of the leaked knowledge with media retailers as an instance that it contained unencrypted private data belonging to metropolis staff, residents, and guests.
The Metropolis filed a lawsuit alleging Goodwolf’s spreading stolen knowledge was unlawful and negligent. It sought damages of $25,000 and a short lived restraining order and everlasting injunction in opposition to the researcher to forestall additional dissemination of the leaked knowledge. A Franklin County decide issued a short lived restraining order barring Goodwolf from downloading and disseminating the Metropolis’s stolen knowledge.
Nonetheless, regardless of the Metropolis’s earlier claims that the leaked knowledge was unusable, as proven in breach notification letter samples filed with Maine’s Workplace of the Lawyer Basic, it notified 500,000 people in early October that the attackers stole and revealed a few of their private and monetary data on the darkish net.
“The knowledge concerned within the Incident could have included your private data, resembling your first and final identify, date of delivery, deal with, checking account data, driver’s license(s), Social Safety quantity, and different figuring out data regarding you and/or your interactions with the Metropolis,” the breach notification letters reveal.
Though the Metropolis has but to search out proof their knowledge was misused, it advises the people impacted by this breach to observe their credit score studies and monetary accounts for indicators of suspicious exercise.
It’s now additionally offering 24 months of free 24 months Experian IdentityWorks credit score monitoring and id restoration companies.