Cybersecurity

Data stolen in Columbus, Ohio, ransomware attack likely ‘unusable,’ mayor says

Columbus, Ohio, Mayor Andrew Ginther said ransomware actors were unable to sell the city's data because it was corrupted or encrypted.

By Sophia Fox-Sowell

August 13, 2024

Columbus Mayor Andrew Ginther addresses the media outside of the Wexner Medical Center on the attacks that took place on the Ohio State University campus earlier in the day on November 28, 2016 in Columbus, Ohio. (Kirk Irwin / Getty Images)

The data stolen in a ransomware attack on Columbus, Ohio, last month — which forced the city to shut down much of its technology operations — is likely unusable, Mayor Andrew Ginther said Tuesday.

“The personal data that the threat actor published to the dark web was either encrypted or corrupted, so the majority of the data came by the threat actor is unusable,” Ginther told reporters at a press conference Tuesday, where he called the discovery a “breakthrough” in the city’s forensic investigation of the recent cyberattack.

The international hacking group Rhysida claimed responsibility for the July attack on Aug. 2. The group published screenshots as proof of 6.5 terabytes of stolen city data, including log-in information and other critical city data.

A city fact sheet shared with StateScoop shows that Rhysida tried to auction the stolen data on the dark web twice, once on July 31, and again on Aug. 8. Forensic experts involved in the investigation believe the auctions failed because the data was corrupted or encrypted.

The fact sheet also shows that the city never received a ransom demand from the threat actor.

“The threat actor claimed to have 6.5 terabytes of data, but our forensics indicate they had far less. We believe that the screenshots of the data files are the most compelling asset that they had, but that sensitive files were either encrypted or corrupted. We believe this is why the data auction failed,” Ginther said Tuesday.

The Cybersecurity and Infrastructure Security Agency last November noted in a report that Rhysida predominately attacks the education, health care, manufacturing, information technology and government sectors.

Ginther added that due to the ongoing investigation, the city still needs to be careful about the information it shares with the public so as to not “antagonize the threat actor.”

“We engaged the FBI homeland security and cyber security experts from the outset of this investigation, and experts advised us that we had to be cautious not to jeopardize our systems, or data” he said.