City sues man who exposed the severity of ransomware attacks after researchers prove data is not available to criminals, despite mayor's claim



The city of Columbus, Ohio, has filed a lawsuit against security researcher David Leroy Ross (aka Connor Goodwolf) for illegally obtaining and distributing city data leaked by the ransomware group Rhysida. Ross had claimed confidentiality of the leaked data, but when this was denied by the city, he released some of the data to the media.

Complaint-240829 - DocumentCloud

https://www.documentcloud.org/documents/25082253-complaint-240829

City of Columbus sues man after he discloses severity of ransomware attack | Ars Technica
https://arstechnica.com/security/2024/08/city-of-columbus-sues-man-after-he-discloses-severity-of-ransomware-attack/

Researcher sued for sharing data stolen by ransomware with media
https://www.bleepingcomputer.com/news/security/researcher-sued-for-sharing-data-stolen-by-ransomware-with-media/

Columbus, the capital of Ohio with a population of 2.14 million, was hit by a ransomware attack on July 18, 2024, causing various services to be suspended, and IT systems such as email and public institutions to be unavailable. At the end of July, the city of Columbus released a statement saying, 'No systems were encrypted by ransomware, but we are investigating the possibility that confidential data may have been stolen.'

On the same day this statement was made, a ransomware group called Rhysida claimed responsibility, claiming to have stolen 6.5TB of data, including employee login credentials, server data, city video camera footage, and other sensitive information. When the city failed to pay its ransom demands, Rhysida issued a taunt by releasing 260,000 files totaling 3.1TB.



According to a lawsuit filed later by the city of Columbus, the exposed files included data dating back to at least 2015, including a large amount of data collected by local prosecutors and police, as well as personal information of undercover investigators. However, on the day the data was leaked, the mayor of Columbus issued a statement saying, 'The information disclosed was not valuable or usable, and the attack was successfully thwarted,' deflecting the provocation.

This raised doubts for Ross, who obtained the data from the dark web, sifted through it and confirmed the presence of information that could be considered “sensitive.” He then shared with the media what was included, disputing the mayor’s claims that no sensitive or valuable data was leaked.

In response, the mayor pointed out that 'the leaked data is unusable because it has been encrypted or corrupted, and there is no need for the general public to worry.'

However, Ross refuted this claim and released samples of the data to the media, proving that it contained unencrypted data of Columbus residents. NBC4, which received the information from Ross, reported, 'The data included names of people involved in domestic violence cases, as well as social security numbers of police officers and crime victims. The data revealed personal information not only of city employees, but also of residents and visitors going back several years.'

The city of Columbus has filed a lawsuit against Ross, acknowledging that he published the data on a restricted access platform and did not make it publicly accessible, but alleging that his actions in disseminating the stolen data were negligent and unlawful.

The city of Columbus is also concerned that Ross has said he plans to create a website where citizens can check whether their data has been leaked, which it believes could hinder police investigations.



On the social networking site Hacker News, comments have been posted such as, 'The situation depends on what kind of data Ross shared,' and 'It's unclear whether Ross disclosed the data itself or just the existence of the data. It's likely this lack of transparency is the reason the city decided to file a

lawsuit .'

The city of Columbus filed a restraining order against Ross to prevent further distribution of the stolen data, but a judge later granted a temporary restraining order prohibiting Ross from accessing, downloading or distributing the data.

Regarding the injunction, the mayor pointed out, 'It does not suppress free speech, and Mr. Ross is free to continue speaking out about this case. He can explain what data he has, but he will not be allowed to distribute it.'

The city of Columbus is seeking more than $25,000 in damages from Ross.

The leaked data is still publicly available on the dark web and is accessible to anyone with knowledge.



in Security, Posted by log1p_kr