Columbus City Council plans to dig into the continued consequences of July's cyber attack that exposed thousands of residents' personal data.
For the first time, the city's IT Director Sam Orth answered questions publicly on Tuesday about the leak of hundreds of thousands of peoples' data for almost half an hour. Orth said almost a fourth of the city's computer systems are still down and officials are still working to get them online.
Orth also acknowledged that Columbus residents' data was likely leaked to the dark web.
"We are outraged that this attack occurred, and I know that many of you feel the same," Orth said. "In 2023, the City of Columbus' Department of Technology monitored 170 billion cyber events on the internet. We blocked over 200,000 attempted threats, and of the 34 incidents where compromises occurred in 2023, all were detected and contained. But despite our vigilance, we were unable to prevent this attack by Rhysida."
Columbus City Council said it will hold a briefing on the cyber attack at every Monday council meeting for the foreseeable future. The city council also plans to hold a public hearing in early October and release a report.
After Columbus announced this, a cyber security expert criticized the city and is calling for accountability. Shawn Waldman has worked with multiple cities in the past to protect themselves from cyber attacks and recover from them.
Waldman said Orth and his staff need to be held accountable after the attack. He criticized Orth's assertion Monday that the city had thwarted the cyber attack.
"I don't know how much worse this could have possibly gotten. It sounds like this was worst case scenario to me," Waldman said.
Columbus City Council President Shannon Hardin shared his outrage over the cyber attack and how it has impacted him personally. Hardin was blunt about how he felt about the attack.
"Trust me, I'm also angry. My family's personal information and my personal information is floating out there. And unfortunately, I had to find that out from the media as well," Hardin said.
Hardin shared that much of council did not find out about the extent of the data breach until news media spoke to and reported on Connor Goodwolf, the dark web user who blew the whistle on the extent of the data breach.
The Columbus City Attorney's Office hindered Goodwolf's ability to speak to reporters last week with a temporary restraining order in the Franklin County Court of Common Pleas. Without Goodwolf's intervention, a statement from Columbus Mayor Andrew Ginther that all of the data on the dark web was unusable might still be believed.
Waldman said he has been involved in many recoveries with local governments that were attacked. He said it takes a long time to recover, because if data backups aren't good and you don't have good recovery processes and procedures, then getting systems back up and running is going to be very difficult.
Waldman also criticized the city for its record retention policy. He said what has been revealed to be on the dark web shows the city has been keeping records for longer than they should have.
"I'm really interested in how the city is going to, you know, retroactively identify those records that shouldn't have been kept and how they plan on getting rid of those properly," Waldman said.
Waldman said he suspects the city of Columbus was "self-investigating" the cyber attack when it should have been investigated by a third party. He said that's what may have led to Ginther giving out false information to reporters just hours before Goodwolf proved what information was actually leaked to the dark web.
Waldman called on Orth to be held accountable.
"Director Orth at the end of the day, is the accountable person. So he is the chief executive in charge of technology for the city of Columbus. So he is responsible for him and his staff and the direction that he led the city to protect them against this incident," Waldman said.
Waldman said the city's plan to release a report in October could be impacted by whether or not the city can say where Ginther got the bad information.
"So not only does he need to be held accountable, but we definitely need to understand what professionals the city had around them and who was giving out the bad information," Waldman said.
