Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack

The City of Columbus, Ohio, has confirmed half a million people's data was accessed and potentially stolen when Rhysida's ransomware raided its systems over the summer.

In fact, the city noted in a filing that the number of people potentially affected was 500,000 exactly, an oddly round number for data break-in disclosures of this kind.

It's the first time Columbus has confirmed the scale of the ransomware attack and associated data exposure. Rhysida said it dumped around 3 TB worth of stolen files on its blog after failing to net an extortion payment from the city, but as ever with these things, it's difficult to comb through all these records to determine exactly how many people were caught up in the attack.

That said, we only know the scale because of the filing with Maine's attorney general. The letters sent to the potentially affected individuals, which were delivered on or around October 7, did not mention the number of other victims or detail the nature of the data that's now said to be accessible via the dark web.

As ever with ransomware leaks, there is likely to be some variation when it comes to the types of data exposed to the criminals, but Columbus reckons the following personal information comprise the main ones:

• First and last names
• Dates of birth
• Home addresses
• Bank account information
• Driver's licenses
• Social Security Numbers
• Other identifying information concerning residents and/or their interactions with the City

Perhaps more concerning was the source of the stolen data, however. Data points are one thing, but when these are combined with the specific source, they can reveal much more than just a name, for example.

Security researcher Connor Goodwolf, whose legal name is David Leroy Ross, previously told CNBC that after downloading the 3 TB file from Rhysida, he found signs that the database belonging to the city's prosecutor was one of the sources of stolen data.

Goodwolf said one of the first observations he made was that domestic violence victims were among the 500,000 affected individuals (The Register has not downloaded or reviewed the files to verify this). It goes without saying that if those victims had their names and home addresses leaked, their safety could be put in grave danger.

Columbus sued Goodwolf following his remarks on the incident. It's rarely a good look when ransomware victims sue security researchers over their work, although the city said this was only done to prevent Goodwolf from disseminating the stolen data, which the complaint alleges he threatened to do.

• Rhysida ransomware gang ships off Port of Seattle data for $6M
• Five months after takedown, LockBit is a shadow of its former self
• Ransomware crews investing in custom data stealing malware
• British Library's candid ransomware comms driven by 'emotional intelligence'

The civil complaint [PDF] made by the city confirmed the prosecutor's backup database was accessed, as was the backup crime database, which includes details of misdemeanor crimes dating back to 2015.

"This data would potentially include sensitive personal information of police officers, as well as the reports submitted by arresting and undercover officers involved in the apprehension of the persons charged criminally by the City prosecutor's office," the complaint reads. 

"These databases also contain the personal information of crime victims of all ages, including minors, and witnesses to the crimes the City prosecuted from at least 2015 to the present."

None of this was included in the letter sent to victims, although it was alluded to in an August press conference.

Mayor Andrew Ginther was criticized by attendees for backtracking on earlier statements suggesting no data was compromised in the incident, only for him to reveal that, in fact, highly sensitive data was indeed stolen and leaked.

It's worth noting, though, that data leak investigations can take time to determine with certainty the nature and scope of the incident. It's understandable that the mayor didn't want to raise any alarm unnecessarily, but after refusing to pay the criminals, it could be argued the city should have warned that the leaking of data was a possibility.

Although the letter fell short of outlining the sensitive nature of the attack, it does state, however, that the city has no evidence suggesting the stolen data was misused in any way.

Local media reporting soon after the July 18 attack noted that a number of city staff had their bank accounts broken into following the ransomware attack, but a link between the two has not been officially established.

In a slightly unusual move, around the same time as these reports, the city offered all Columbus residents and victims of Rhysida's damage 24 months' worth of Experian credit monitoring. Typically this is offered to the victims only.

"I'm angry and concerned that the city and our residents are victims of this cyberattack," said Ginther at the time. "My priority is to do everything we can to protect the residents of our city. That is why we are extending two years of free Experian credit monitoring to all of our residents to help protect them from potential fraud or identity theft." ®