Columbus Mayor Andrew J. Ginther confirmed that personal information from private residents and others was released on the dark web after a cyberattack that crippled the city.
"Personally identifiable information was released to the dark web," Ginther said during a Saturday press conference on the July 18 cyberattack.
"I can unfortunately say we will find that more personal information will be accessed or published," Ginther said.
The city announced late Friday that it was offering credit monitoring to all city residents and others impacted after the ransomware attack.
The offer through Experian includes two years of free monitoring, which covers up to $1 million of protection against fraud and identity theft.
He said the Experian protection will likely cost the city millions of dollars.
The city initially only offered this service to current and former employees. Then it was revealed that the attack impacted everyday residents' information.
Ginther said city officials don't have details as to how many people — whether they be employees, retirees, residents and others — have been affected.
Information released on the dark web includes the city prosecutor's database that includes information about defendants, victims and witnesses.
Columbus City Attorney Zach Klein said he has reached out to Legal Aid of Southeast and Central Ohio to help with civil protection orders for people who need them.
Ginther said the city continues to bring back services affected by the hack.
"This is a very complex and rapidly changing situation," Ginther said.
The cyber criminal group Rhysida took responsibility for the attack. The group offered the data to buyers for almost $2 million worth of Bitcoin.
On Tuesday, Ginther told reporters that all of the personal data obtained by the criminal group and published online was unusable.
On Saturday, Ginther said that was the best information he had at the time and now says that was inaccurate.
"I accept full responsibility," he said.
Connor Goodwolf, a cybersecurity expert who lives in the city, has been monitoring the released city data on the dark web. He told WOSU on Saturday that he has seen information dating back to 2006.
Goodwolf — his name is a pseudonym, not his legal name — said he has heard from people concerned about activity regrading their credit and bank accounts.
Goodwolf said about 45% of the stolen city data is visible on the dark web, suggesting 55% has been sold.
"What they do with the data is up to them," he said.
"I believe that information sold is being actively utilized to victimize individuals," he said.
He said he has also seen information for people living outside Columbus.
Some of the data is encrypted, he said.
On Monday, Goodwolf told WOSU that he can see names, addresses and social security numbers from people who have interacted with the fire division.
That includes information from arson investigations to people needing help with smoke detectors to those whose cars have broken down.
Goodwolf said he has also seen personal information from a scheduling database of about twenty-five hundred city employees going back to 2004.
Goodwolf said he may sign up for the Experian credit monitoring himself.
The city is already facing a lawsuit from police officers who say the city didn't do enough to prevent the ransomware attack or to alert employees after it happened.
Ginther said the city spent more than $12 million over five years to boost cybersecurity systems.
Residents can click here to sign up for Experian credit monitoring or call 1-833-918-5161 with the code B129833 by Nov. 29.
