Multiple media outlets confirmed private information from everyday Columbus residents was obtained and leaked online through a ransomware attack just hours after Mayor Andrew Ginther claimed the stolen data was unusable.
NBC4 reported Tuesday evening that it confirmed data from private citizens including addresses, drivers' licenses and, in some cases, social security numbers were leaked online by the cyber criminal group Rhysida. The TV station even confirmed some of its own reporters' information was part of the leak.
WCMH and other news outlets spoke with a man using the pseudonym Connor Goodwolf who showed them in-person the data he was able to download from the dark web. The information was of visitors to Columbus City Hall who often have to scan their identification cards to enter the building and a list of domestic violence victims.
Goodwolf told the Columbus Dispatch more than 470,000 people in Columbus and outside of the state of Ohio were included in the leak, including himself.
Ginther had just spoken to reporters Tuesday morning and claimed that all of the data was corrupted, encrypted and unusable by anyone who downloaded it from the dark web. He also claimed the data leak was limited to information of Columbus city employees and no private citizens information was downloaded.
That was not the case.
A spokesperson for Ginther's office said the mayor is acknowledging that what he told reporters yesterday is inaccurate to what is known now.
"This information was shared in good faith, was based upon rigorous investigation and reliable sources, and was shared an in effort to offer transparency into the events of the past weeks," Ginther said in a statement.
"We are now aware that an individual has come forward with information. We are pursuing this information with the foremost concern of protecting and serving Columbus residents. We are actively evaluating additional resources to support the public and the city. As we continue to investigate, we will act on and share verifiable information," Ginther said.
Columbus City Attorney Zach Klein's Office also sent a statement acknowledging crime victims it serves may have been affected by the leak.
“I take this very seriously because our mission is and always will be to serve and protect victims. The City Attorney's Office will continue to do all that we can to protect our community and victims, both in and out of the courtroom. Moreover, we will continue to support ongoing efforts of the Department of Technology and the City's experts, as well as the FBI and Homeland Security, as they sort through the possible exposure of personal information by these criminals," Klein said.
Rhysida breached the city's systems on July 18. The city claimed it "thwarted" attempts to encrypt its systems to hold it hostage for a ransom, but the group still was able to steal the data. Rhysida attempted to sell a chunk of the data on the dark web in an auction, but then chose instead to dump the data.
WOSU spoke to cyber security expert Shawn Waldman, who said he suspects Ginther may have just been told the wrong information before he addressed reporters. Waldman has worked with other cities on cyber security and said actually finding out what data is stolen takes much longer than a month.
"Forensics takes a long time, so, I don't know anybody that can turn forensics correctly in about 30 days, which is about where we're at. I don't remember where the bridge started, but it's too soon. I would have told the public that this could take months to get the information back," Waldman said.
Waldman said he thinks everyone in the city of Columbus should just assume that their data, their identity and their sensitive information is up for grabs. He said people with this data can do a whole host of things that can damage someone.
"We can make fake IDs, we can mimic the identity of somebody at that point. You can take out loans. You could possibly go to the bank and make a withdrawal. It is possible to see financial theft and those types of things," Waldman said.
Waldman said you should never tell the public partial data, but said being transparent is still key.
"I think they need to be in front of the public more, giving out information. I know the city was a little upset about what they would call speculation by outside sources not involved," Waldman said. "But I think there would be less of that if the city themselves would be more proactive with educating the public in the media of exactly what is going on and what the next steps are, and in the absence of that information, we're forced to do what we're doing today."
