Introduction
In July 2024 [1] [6], the City of Columbus [1] [2] [3] [4] [5] [6] [7], Ohio [1] [2] [3] [4] [5] [6] [7] [8], experienced a significant ransomware attack that compromised the personal and financial data of approximately 500,000 residents and city employees. The attack, attributed to the Rhysida ransomware group [3], highlighted vulnerabilities in municipal cybersecurity and raised concerns about the preparedness of local governments to handle such threats.
Description
The City of Columbus [1] [2] [3] [4] [5] [6] [7], Ohio [1] [2] [3] [4] [5] [6] [7] [8], confirmed that a ransomware attack on July 18, 2024 [7], resulted in the theft of personal and financial data from approximately 500,000 residents and city employees, nearly half of the city’s population [2]. The Rhysida ransomware group [1] [3] [4] [8], which has been linked to the Vice Society group and previously targeted the British Library, claimed responsibility for the attack [1] [5] [6], asserting that they extracted 6.5 terabytes of sensitive information. This data included names, Social Security numbers [2] [4] [5] [6] [7] [8], banking information [2] [6], dates of birth [4] [5] [6] [7] [8], driver’s license numbers [4], identification documents [2], addresses [2] [4] [5] [6] [7] [8], city employee account numbers [5], payroll records [5], passwords [6], emergency services applications [6] [8], and access to city video feeds [6]. Initially, city officials indicated that no systems were encrypted; however [3] [4], this was contradicted when evidence emerged that unencrypted data was accessible online, raising concerns about the integrity of the city’s cybersecurity measures.
Approximately 260,000 documents [2] [3] [5] [7], or 45% of the stolen data, were published on the dark web [4], revealing that personal information of many residents had indeed been compromised. In response to the attack, the city’s Department of Technology took critical systems offline to contain the breach, severing internet connectivity to limit exposure and prevent further system encryption. Despite these efforts, the Rhysida group demanded a ransom of 30 bitcoin [2] [6] [7], approximately $1.9 million at the time [6]. Columbus officials have not verified whether a ransom was paid, and after unsuccessful negotiations [1], the group began leaking files [2], including employee credentials and personal documents [2] [8]. They allegedly uploaded 3.1 terabytes of unsold data [7], consisting of 258,270 files, to their dark web leak site [1]. This incident has been marked as one of the most significant public sector data breaches in recent history [1], with the city spending $4 million to secure the compromised systems and conduct an investigation [6].
In early October [3] [4], the city notified the 500,000 affected individuals that their personal and financial information had been published on the dark web [4]. The breach notification detailed the compromised data [4], urging those impacted to monitor their accounts for unusual activity [4]. Columbus is offering 24 months of Experian Credit Monitoring and Dark Web Monitoring to those affected [8], with enrollment ending on January 31, 2025 [6]. Additionally, the city filed a lawsuit against cybersecurity researcher David Leroy Ross [2] [7], also known as Connor Goodwolf [3] [4], for allegedly sharing the stolen data and disputing the city’s claims about the data being encrypted or corrupted. The lawsuit sought damages and an injunction against further dissemination of the data but was later dropped after public outcry [3]. Ross ultimately agreed to a permanent injunction that restricts his sharing of the data without city approval [3]. This incident underscores vulnerabilities in municipal cybersecurity and raises concerns about local governments’ preparedness to handle such threats [2].
Ransomware attacks on government agencies can severely disrupt operations and compromise essential services [6]. In 2024 [6], there have been 72 confirmed ransomware attacks on US government agencies [6], affecting 844,631 records [6], with the Columbus breach being the largest recorded since tracking began in 2018 [6]. Comparitech researchers have documented 60 confirmed ransomware attacks attributed to Rhysida [6], affecting over 4 million records [6], with an average ransom demand of $1.15 million [6]. Notable attacks by Rhysida include significant breaches in the healthcare sector and various government agencies [6].
Conclusion
The ransomware attack on Columbus, Ohio [1] [2] [3] [4] [5] [6] [7] [8], serves as a stark reminder of the vulnerabilities present in municipal cybersecurity systems. The breach not only exposed sensitive personal and financial data but also highlighted the potential for significant operational disruptions. In response, Columbus has taken steps to mitigate the impact, including offering credit monitoring services and pursuing legal action. However, the incident underscores the need for local governments to enhance their cybersecurity measures and preparedness to effectively counter such threats in the future.
References
[1] https://www.infosecurity-magazine.com/news/columbus-ransomware-attack-exposes/
[2] https://nationalcioreview.com/articles-insights/extra-bytes/data-of-nearly-half-the-columbus-ohio-population-exposed-in-security-breach/
[3] https://siliconangle.com/2024/11/04/city-columbus-acknowledges-data-theft-lawsuit-security-researcher/
[4] https://izoologic.com/region/us/rhysida-gang-leaks-3-1tb-of-data-from-columbus-cyberattack/
[5] https://www.malwarebytes.com/blog/news/2024/11/city-of-columbus-breach-affects-around-half-a-million-citizens
[6] https://www.comparitech.com/news/columbus-oh-notifies-500k-people-of-data-breach-that-compromised-residents-ssns-bank-account-info/
[7] https://techcrunch.com/2024/11/04/columbus-says-ransomware-gang-stole-personal-data-of-500000-ohio-residents/
[8] https://securityaffairs.com/170568/data-breach/city-of-columbus-ransomware-attack-impacted-500000-people.html