The City of Columbus, Ohio, which serves as the state capital, has reported that hackers compromised the personal information of 500,000 residents during a ransomware attack that occurred in July.
In a submission to the attorney general of Maine, Columbus acknowledged that a “foreign cyber threat actor” infiltrated its network, gaining access to sensitive data such as residents’ names, birth dates, addresses, identification documents, Social Security numbers, and banking information.
As the most populous city in Ohio, with an estimated population of 900,000, Columbus indicated that approximately half a million individuals were impacted, although the precise number of victims has not been verified.
This regulatory disclosure follows a ransomware incident on July 18 of this year, which the city asserted it had successfully mitigated by disconnecting its network from the internet.
The ransomware group Rhysida, known for its previous cyberattack on the British Library, claimed responsibility for the Columbus attack in August. The group stated that it had exfiltrated 6.5 terabytes of data from the city, which included databases, internal employee logins and passwords, a complete dump of servers related to emergency services, and access to city surveillance cameras, as reported by local news outlets.
Rhysida demanded a ransom of 30 bitcoin, equivalent to approximately $1.9 million at the time of the attack, in exchange for the stolen data.
Two weeks post-attack, Mayor Andrew Ginther informed the public that the stolen data was likely “corrupted” and “unusable.”
However, the validity of Ginther’s assertion was called into question the following day when cybersecurity researcher David Leroy Ross, also known as Connor Goodwolf, disclosed that the personal information of hundreds of thousands of Columbus residents had appeared on the dark web.
In September, Columbus initiated legal action against Ross, claiming that he was “threatening to disclose the City’s stolen data to third parties who would otherwise lack immediate access to such information.” A judge subsequently issued a temporary restraining order against Ross, prohibiting him from accessing the stolen data.