Ransomware has long plagued cities across the United States. This appears to be another typical ransomware attack that affected Columbus, Ohio, in July of this year. The same cannot be said for the city’s response to the hack, however, and cybersecurity and legal experts across the country have questioned its motives.
Connor Goodwolf (legal name: David Leroy Ross) is an IT consultant who explores the dark web. “I track darknet-type crime, criminal organizations, and the reason why the Telegram CEO was arrested,” Goodwolf said.
So when news broke that his hometown of Columbus had been invaded, Goodwolf did what he’s supposed to do: He poked around on the Internet. It didn’t take long for him to discover what the hacker had.
“It’s not the biggest breach, but it’s one of the most impactful breaches I’ve ever seen,” Goodwolf said.
In some ways, he described it as a routine breach, with personally identifiable information, protected health information, Social Security numbers and driver’s license photos all compromised. However, since multiple repositories were compromised, it is more inclusive than other attacks. Goodwolf said the hackers breached multiple databases belonging to the city government, police and prosecutor’s offices. There are arrest records and sensitive information about minors and victims of domestic violence. He said some of the leaked databases date back to 1999.
Goodwolf found more than 3 terabytes of data that took more than 8 hours to download.
“The first thing I saw was the prosecutor’s database and I thought ‘Oh my gosh’ these are domestic violence victims. When it comes to domestic violence victims, we need to protect them the most because they’ve been victimized once.” , and now their information has been exposed again,” he said.
Goodwolf’s first action was to contact the city to let them know the extent of the violations because what he saw contradicted official statements. At a press conference on August 13, Columbus Mayor Andrew Ginther said: “The personal data posted by threat actors to the dark web is either encrypted or corrupted, so the majority of the information provided by threat actors is Some data cannot be used.
But Goodwolf’s findings don’t support this idea. “I have made multiple attempts to contact multiple departments within the city and have been rebuffed,” he said.
Mandiant, owned by Google, and many Other top cybersecurity companiesWe have been tracking the continued growth of ransomware attacks, both in prevalence and severity, and the rise of the Rhysida group behind the Columbus hack, which has come to prominence over the last year.
Rhysida Group claimed responsibility for the hack. Although little is known about the cyber group, Goodwolf and other security experts say they appear to be state-sponsored and based in Eastern Europe. May be related to Russia. Goodwolf said the ransomware gangs are “professional operations” with employees, paid vacation time and public relations staff.
“Since last fall, they have stepped up their attacks and their targeting,” he said.
U.S. Government Cybersecurity and Infrastructure Security Agency Make an announcement About Rhysida last November.
Goodwolf said that when no one from the city responded to him, he went to local media and shared the data with reporters to understand the severity of the violations. That’s when he received a letter from the city of Columbus, seeking a lawsuit and a temporary restraining order to prevent him from disseminating any more information.
The city defended its response in a statement to CNBC:
“The city initially acted to obtain this order from the court to prevent the dissemination of sensitive and confidential information that threatened public safety and criminal investigations, which could include the identities of undercover officers.”
The city’s 14-day temporary restraining order against Goodwolf has now expired, and it has now issued a preliminary injunction and reached an agreement with Goodwolf not to release any more data.
“It should be noted that the court order does not prohibit the defendants from discussing the data breach or even describing the types of data that were exposed,” the city’s statement added. “It only prohibits individuals from distributing stolen data posted on the dark web. . The city is still working with federal authorities and cybersecurity experts to respond to this cyber intrusion.”
The mayor, meanwhile, did have to apologize at a subsequent press conference and said his original remarks were based on the information he had at the time. “That was the best information we had at the time. Obviously, we found out that it was inaccurate information and I have to take responsibility for that.”
Recognizing that residents are at greater risk than initially thought, the city is offering two years of free credit monitoring from Experian. This includes anyone who has come into contact with the City of Columbus through an arrest or other matter. Columbus is also working with legal aid agencies to understand what additional protections are needed for victims of domestic violence who may be harmed or need help with a civil protective order.
So far, the city has not paid the hackers a $2 million ransom.
“He’s not Edward Snowden”
Those who study cybersecurity law and work in the field expressed surprise that Columbus filed a civil lawsuit against the researchers.
“Litigation against data security researchers is rare,” said Raymond Ku, a law professor at Case Western Reserve University. On the rare occasions when it does happen, he said, it’s usually when Researchers are accused of disclosing how a flaw was exploited, or how it was exploited, which would allow others to also exploit the flaw.
“He’s not Edward Snowden,” said Kyle Hanslovan, CEO of cybersecurity company Huntress. Snowden, a government contractor who leaked classified information and faces criminal charges, considers himself a whistleblower. Hanslovan said Gudwolf was a Good Samaritan who independently discovered the leak.
“In this case, it appears that we just silenced someone who, from what I understand, appears to be a security researcher who did the bare minimum and confirmed that the official statement was not true. This cannot be Appropriate recourse to the courts,” Hanslovan said, predicting that the case would soon be overturned.
Columbus City Attorney Zach Klein said at a press conference in September The case “is not about free speech or whistleblowing. It is about the downloading and disclosure of stolen criminal investigation records.”
Hanslovan worries about the knock-on effect of cybersecurity consultants and researchers being afraid to do their work for fear of prosecution. “The bigger story here is that we’re seeing the emergence of a new hacker response strategy” in which individuals are silenced, which should not be welcomed, he said. “Suppressing any opinion, even for 14 days, is enough to prevent something credible from coming to light, and that scares me,” Hanslovan said. “This voice needs to be heard. When we see the larger network When security incidents occur, I worry that people will be more concerned about exposing them.”
Scott Dylan, founder of NexaTech Ventures, a British venture capital firm, also believes that Columbus’s actions may have a chilling effect on the cybersecurity field.
“As the field of cyber law continues to mature, this case may be cited in future discussions about the role of researchers after a data breach,” Dillon said.
He said the legal framework must continue to evolve to keep up with the sophistication of cyberattacks and the ethical dilemmas they create, and that Columbus was wrong to do so.
In the meantime, Goodwolf’s legal proceedings will continue to move forward. Although Columbus and Goodwolf reached an agreement last week to disseminate the information, the city is still suing him in a civil lawsuit seeking damages that could amount to $25,000 or more. Goodwolf represents himself in meetings with the city but said he has an attorney on standby if needed.
Some residents have filed a class-action lawsuit against the city. Goodwolf said that 55% of the leaked information has been sold on the dark web, and 45% is available to anyone with the ability to access the information.
Dillon believes the city is taking a big risk, even if its actions are legally defensible, by creating the appearance of trying to suppress speech rather than encourage transparency. “This tactic could backfire, both in terms of public trust and future litigation,” he said.
“I hope the city realizes it was wrong to file a civil lawsuit that has implications beyond safety,” Goodwolf said, noting that Intel is building a $1 billion facility in suburban Columbus. In recent years, the city has positioned itself as a new technology hub in the Midwest, and attacks on white hat and cybersecurity researchers could cause some in the tech industry to reconsider it as a location, he said.
About The Author
