COLUMBUS, Ohio — As Columbus City Council returned from its August recess, members addressed the major data breach for the first time.
The City of Columbus reported learning it had been part of a data breach on July 18 and severed its connection to the internet. In the weeks following, 10TV learned from a whistleblower, the extent of the impact.
The stolen data posted to the dark web includes information from city employees, crime victims and suspects, police officers, residents and more.
“I know staff are working around the clock and putting in long nights and weekends but our residents our employees, victims of crimes and others who trust our city to safeguard their personal information are right to be worried about the extent of this breach and what it means for their safety and privacy,” said City Council President Shannon Hardin.
President Hardin said he found out some of his and his family’s personal information had been posted to the dark web through media reports.
He shared the FBI and Homeland Security are involved in the investigation into the hack, so the city can only share limited information.
He explained the administration is responsible for the investigation whereas council’s job is oversight to ask questions to educate themselves and the public. Hardin announced city council will hold a public hearing in the coming weeks to look at how the hack occurred, and how to secure the system for the future.
Department of Technology Director Sam Orth spoke publicly about the hack for the first time at the meeting on Monday and will deliver an update weekly at each city council meeting moving forward.
He said the city took immediate action on July 18 to disconnect from the internet, preventing the attackers from locking the city out of their own systems.
“It is important to note that at no time did the city ever receive a ransom demand. The city attempted through its experts to reach out to Rhysida before they posted the stolen data and we never received a response,” Orth said.
The city originally notified individuals who may have had their data impacted, but once they realized the extent of the attack, they switched to a mass communication model to get the word out.
When asked if Orth would feel comfortable giving his ID to City Hall, or sharing information with the city, he said “yes” but could not guarantee the safety of such action.
Orth explained cyberattacks have become more of a threat nationwide. He said the city blocked 200,000 attempted threats in 2023.
“Despite our vigilance we were unable to prevent this attack by Rhysida,” he said. “Columbus sadly is not alone in this fight. In a world where cyber criminals continue to refine their tactics even the best prepared organizations suffer losses.”
Orth said 70% of the city’s systems have been restored but could not provide an exact timeline to when the city will fully be back online.
The city filed a lawsuit against Connor Goodwolf, the cybersecurity expert. He sat in the audience during the council meeting and left after the technology director’s statements.
The city is encouraging anyone who believes they may have had their data impacted to sign up for free credit monitoring by Nov. 29. Orth said minors are eligible to sign up too, and mentioned even if they are not old enough to have a credit card, they could still have their identity stolen. You can learn more and sign up here.