The City of Columbus, Ohio, has filed a lawsuit against cybersecurity researcher David Leroy Ross, also known as Connor Goodwolf. The lawsuit accuses him of illegally gathering and sharing his findings with the media.
What happened
On July 18, 2024, Columbus, Ohio, experienced ransomware attack, interrupting municipal services and IT connectivity. Ransomware group Rhysida claimed responsibility for the attack, claiming to have stolen 6.5 TB of data. After failing to get the ransom from the city, Rhysida released 45% of the stolen data on August 8, 2024.
Despite Mayor Andrew Ginther's assurances that the compromised data was either encrypted or corrupted, cybersecurity expert Connor Goodwolf began investigating the leaked data after discovering his own information was compromised. Goodwolf stated that it only took him 12 hours to download the portion of the leak he had.
After sharing his findings with NBC4, their investigation revealed the leak contained server records from the City Attorney's office, payroll databases, and an ID scanning system containing driver’s license numbers and addresses of individuals who visited Columbus City Hall over the past 20 years.
The City of Columbus has since filed a lawsuit against Goodwolf for allegedly collecting and sharing the data. In their lawsuit, the city is seeking a restraining order, injunctions, and damages of over $25,000 against Goodwolf. They claim that his actions interfered with ongoing police investigations and provoked public fear.
The backstory
In July 2024, Rhysida launched a ransomware attack on Columbus, Ohio. At that time, the Rhysida group demanded 30 bitcoins (approximately $1.9 million) ransom for not releasing the stolen data. After failing to secure the ransom, Rhysida released nearly half of the stolen data (3.1 terabytes) on the dark web.
Read also: Rhysida auctions data from Columbus and Franklin County ransomware attacks
What was said
At a press conference, Columbus Mayor Andrew Ginther initially said, “The personal data that the threat actor published to the dark web was either encrypted or corrupted, so the majority of the data came by the threat actor is unusable.”
According to city attorney Zach Klein, “The lawsuit is not about suppressing free speech, as Goodwolf can still talk about the leak, but is aimed at preventing him from downloading and disseminating the stolen information.”
Why it matters
The city’s lawsuit shows the conflict between cybersecurity researchers and legal authorities when dealing with compromised sensitive data. It also emphasizes the potential legal implications for researchers who release such material, even if their goal is to inform the public. The case could establish a precedent for how researchers handle material obtained by cybercriminals, balancing public awareness with legal limits.
The bottom line
Cybersecurity researchers must consider the legal implications when raising awareness about cybersecurity vulnerabilities. As cybersecurity events rise, comparable legal concerns can emerge, requiring specific regulations for cybersecurity researchers' responsibilities and limitations.
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
How can covered entities protect themselves from ransomware attacks?
Covered entities must use HIPAA compliant platforms, like Paubox, which offer multi-factor authentication, access controls, and a secure cloud service to safeguard protected health information (PHI).
Additionally, regular HIPAA training can help staff avoid clicking on suspicious links or downloading files from untrusted sources, protecting the organization from ransomware attacks.
What should individuals do if their data has been compromised?
If an individual suspects their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Furthermore, they should use identity theft protection services and credit monitoring to track misused information.
