Columbus, Ohio’s messy ransomware saga underscores legal gray areas
Cyberattacks, especially ransomware attacks, on state and local government agencies are a dime a dozen these days, and usually follow the same song and dance of initial attack, response and restoration.
The saga of the Columbus, Ohio, cyberattack has not been so neat and tidy.
In July, the city of about 900,000 people suffered a ransomware attack, in which the international hacking group Rhysida claimed to have stolen 6.5 terabytes of data, forcing the technology department to disconnect the city’s network from the internet.
Two weeks after the cyberattack, Columbus Mayor Andrew Ginther told the public the stolen data was likely “corrupted” and “unusable.”
“The personal data that the threat actor published to the dark web was either encrypted or corrupted, so the majority of the data came by the threat actor is unusable,” Ginther told reporters at a press conference in August, where he called the discovery a “breakthrough” in the city’s forensic investigation of the recent cyberattack.
The next day, the mayor’s optimistic declaration was contradicted by David Leroy Ross, a cybersecurity researcher who goes by the name Connor Goodwolf in media interviews. He told local news station WBNS that the personal information of hundreds of thousands of Columbus residents was available on the dark web.
In an email to StateScoop responding to Ross’s claim, Ginther wrote: “I shared information that had been verified through our cybersecurity investigation. This information was shared in good faith, was based upon rigorous investigation and reliable sources, and was shared in an effort to offer transparency into the events of the past weeks.”
A Columbus city fact sheet shared with StateScoop showed that the hacking group Rhysida tried to auction the stolen data on the dark web twice, first on July 31, and again on Aug. 8. Forensic experts involved in the investigation said the auctions failed because the data was corrupted or encrypted.
But Luke Connolly, a cybersecurity analyst at Emsisoft, told StateScoop that the ransomware group’s failure to sell data doesn’t prove that the data is unusable.
“I can’t really comment on what the investigation did or didn’t do or find. All I can say is that I was able to view many different documents,” Connolly said.
In September, the Columbus city attorney’s office filed a lawsuit against Ross, accusing the researcher of causing “irreparable harm” and “widespread concern throughout the Central Ohio region.” But that lawsuit was soon replaced with a preliminary injunction to stop Ross from continuing his allegedly harmful actions of disseminating stolen data with the media.
Both Ginther and Zach Klein, Columbus’ city attorney, declined to be interviewed for this story. Ginther is currently facing calls for his resignation, both over the cyber event and a potential labor violation. The city recently sent StateScoop a statement about the restoration status of the city’s network, that doesn’t touch on the mayor’s actions immediately following the cyberattack.
“Although this remains a complex and rapidly changing situation, we are pleased to report that significant progress has been made in bringing our IT infrastructure back online,” the statement read. “To date, 70% of the city’s systems have been fully restored, while another 7% have been partially restored. Our goal is to achieve full restoration of all systems by the end of October.”
A patchwork of laws
The whirlwind of events in Columbus is unusual.
Normally after a cyberattack, a city will launch an investigation, work with state and federal IT officials to restore the compromised systems and keep the public updated as it makes progress. But Jim Dempsey, managing director of the Cybersecurity Law Center at the International Association of Privacy Professionals, said the city’s approach to staying ahead of the story, highlights the responsibilities of custodians that routinely collect citizen data, like city governments.
“A data custodian is responsible for protecting the security of the data, to protect it against loss or theft or misuse, and to ensure that it’s available when when needed,” Dempsey told StateScoop in a recent interview. “So data security, cybersecurity has always been part of the concept of fair information practices.”
Fair Information Practice Principles are a collection of widely accepted concepts that agencies use when evaluating information systems, processes, programs and activities that affect individual privacy, according to the Federal Privacy Council, an interagency forum that works to improve the privacy practices of government organizations.
While not required by law, these principles influence U.S. data privacy laws, like the Ohio Public Records Act, which protects certain sensitive information from public disclosure.
Many of these data privacy laws, Dempsey said, including the U.S. Privacy Act of 1974, do not directly refer to cybersecurity, which creates a gray area regarding who or what entity is responsible when an incident occurs. Without a specific designation using the word “cybersecurity,” Dempsey said, most data privacy laws are the de facto cybersecurity laws.
“There’s a very complex patchwork quilt of laws on cybersecurity, or that may not even mention ‘cybersecurity,’ but that are used in cybersecurity cases. So cybersecurity and privacy really go together. They’ve always gone together,”he said.
The 50-year old federal law establishes rules for how federal agencies can store, access and use personally identifiable information, but half a century ago, cybersecurity as it’s known today didn’t exist.
According to a report by the FBI’s Internet Crime Complaint Center, government agencies were the third largest critical infrastructure sector targeted by ransomware attacks in 2023.
Dempsey said the increasing number and sophistication of cyberattacks, like the ransomware attack on Columbus, underscores the need for comprehensive cybersecurity regulations to address the evolving threat landscape.
‘Duty to protect stolen data’
The ransomware attack in Columbus, Ohio, exposed the data of about 400,000 residents, including sensitive police information such as witness accounts, criminal cases and ongoing undercover operations, which led to two class action lawsuits filed against the city.
The first came from two police officers who filed a class action lawsuit on Aug. 9 against the city, alleging it had failed to protect their data. It was later amended to include all affected residents.
“There is a general rule that when certain kinds of personal information, particularly when it’s identifying information — name, address, phone number, Social Security number, financial data, health data associated with a name — where it’s identifiable to an individual, then notice must be provided to each individual whose data was compromised,” Dempsey said.
The second suit came from Columbus police and firefighters, who claimed to have suffered financial impacts from the data breach. The lawsuit asks the city to fully and accurately disclose the nature of the information that was compromised and to adopt sufficient security practices to prevent similar incidents.
“As far as the complaint, it exists because of the City’s duty to protect stolen data from dissemination, including the potential exposure of the identities of undercover police officers, evidence in ongoing criminal investigations, and sensitive personal information of residents,” reads an emailed statement from the Columbus city attorney’s office.
Proof of injury
Dempsey, who wrote a book outlining each state’s privacy laws called Cybersecurity Law Fundamentals, said the U.S. practices a “sectoral” approach to data privacy, with each law using a unique definition of personal information. The result is privacy laws that vary by state and industry.
“The concept of privacy is pretty universal, [but] it’s not the same set of standards,” he said.
Ohio’s privacy law, for example, does not impose a cybersecurity requirement on government entities. Instead, the state attempts to encourage cybersecurity practices by allowing organizations “an affirmative defense against tort actions,” a branch of civil law that deals with civil wrongs that cause harm to people or their property.
“Again, it varies tremendously. State by state, governmental entities can be liable for data breaches. There are, probably at this point, dozens of cases about including about state governments holding that the governments do or don’t have a duty of care,” Dempsey said.
But damages, usually in the form of financial or monetary penalties, can only be granted if an injury has occurred.
“Let’s say there was a ransomware attack on this particular government agency that that has my data, and my sensitive data was exposed, whether it’s, you know, driver’s license numbers, my Social Security number, whatever, but I can’t prove that I’ve incurred an injury like I haven’t been subject to identity theft, I haven’t lost any any money. Nobody’s tried to impersonate me. But I can’t prove that anything negative or that I’ve accrued any damages,” Dempsey said. “Do I still have a case because my data was still exposed by the data custodians that were supposed to protect it?”
Under Ohio’s privacy laws, the City of Columbus filed a lawsuit against David Leroy Ross, claiming the cyber researcher caused “irreparable harm” and “widespread concern throughout the Central Ohio region,” when he shared the stolen data with the media, which had been made publicly available on the dark web by Rhysida.
Amid these proceedings, a judge approved a temporary restraining order prohibiting Ross from accessing, downloading or disseminating the stolen city data.
A few weeks later, Ross and the city agreed to a preliminary injunction, which allowed him to “maintain a dialogue with the city regarding the cyber intrusion,” and to “download any data he wants from the city, but prohibits him from sharing said sensitive data unless it’s to the City,” according to an email from the Columbus city attorney’s office. The preliminary injunction permits Ross to share data subject to disclosure under the Ohio Public Records Act, as that information is already public record.
“The City Attorney’s Office believes that the current agreed preliminary injunction is protecting our citizens and employees all while also protecting Mr. Ross’ constitutional rights,” Pete Shipley, communications director for Columbus City Attorney Zach Klein, told StateScoop in a emailed statement. “We recognize Mr. Ross’ participation and acknowledgement of our shared objectives to protect the vulnerable and public safety thus far. We will continue to work towards a permanent resolution that is in the best interest of citizens and the public.”
Mayor Ginther last month said that the July cyberattack could cost the city millions of dollars in restoration and recovery expenses.
“We know it will be millions of dollars,” Ginther told ABC 6. “There’s going to be a significant amount of money towards credit monitoring. A significant amount of money is going towards the investigation.”
A spokesperson from the mayor’s office told StateScoop the city’s incident response has been conducted under an emergency order from the mayor since the breach was identified in July. The order includes an emergency authorization for $4 million, directing “$3 million towards operating costs and $1 million to cover incident response and remediation,” according to the spokesperson.
Earlier this month, the Columbus city council approved a $7 million expenditure by the city’s Department of Technology, including $3 million in new funding requests, to address IT expenses from the ransomware attack, such as data forensics, cyber threat monitoring and legal counsel related to litigation.
Timeline of key events in the Columbus, Ohio, ransomware attack
July 18: The City of Columbus suffers a ransomware attack, disrupting its 911 and 311 services.
July 23: Mayor Andrew Ginther tells WBNS that the city’s 911 and 311 dispatch centers are still “operational,” but have been forced to revert to paper processes.
Aug. 1: Rhysida claims responsibility for the attack and demands nearly $2 million in ransom for the data, releasing screen captures to prove it has the city’s sensitive data. Columbus police employee information appeared to be the most at risk.
Aug. 9: A law firm representing two police officers file a class action lawsuit against the city of Columbus, alleging the city failed to protect highly sensitive data. The lawsuit is later amended to include any resident who was affected by the breach.
Aug. 13: Ginther tells the public that the data stolen in the cyberattack is likely “corrupted and inaccessible,” based on a fact sheet published by the city.
Aug. 14: An anonymous cybersecurity researcher, later identified as David Leroy Ross, also known as Connor Goodwolf, tells ABC10 he found the private information of 400,000 Columbus residents on the dark web, including sensitive police information going back 10 years.
Aug. 29: The Columbus City Attorney files a lawsuit against Ross, seeking $25,000 in damages, claiming he violated the First Amendment and citizens’ right to privacy. The city also files a temporary restraining order, which orders Ross to stop accessing, downloading or disseminating the city’s stolen data.
Sept. 11: The Columbus City Attorney’s Office drops its lawsuit against Ross, opting for a preliminary injunction that “prohibits him from disseminating sensitive data as outlined in the agreement unless it’s to the City,” according to an email from the city attorney’s office.
Oct. 4: The Columbus Department of Technology requests $7 million, including $3 million in new money, from the Columbus City Council to pay for the city’s ongoing response to a July ransomware attack.
This story was featured in StateScoop Special Report: Cybersecurity 2024