COLUMBUS, Ohio — As city leaders continue to deal with the fallout of a citywide cyberattack that started last month, new information and updates are coming to light.
Since events unfolded on July 18, 10TV has learned that hundreds of thousands of private citizens’ information was leaked in the data breach as well as personal information from the Columbus Division of Fire and the Columbus Division of Police.
There are currently two different class-action lawsuits against the city seeking information and asking the city to adopt sufficient security practices and safeguards to prevent incidents like data breaches.
The city is now offering free credit monitoring for affected residents through Experian. You can learn more about the offer here.
Here is a timeline of the events and information as it has unfolded over the past month:
*This timeline will be updated as 10TV continues to learn more about the cyberattack.
10TV’s Lacey Crisp first reported on the data breach on July 22 after Columbus Mayor Andrew Ginther’s office released a statement saying the city's department of technology “found evidence of an abnormality in its system on July 18.”
As a result, the city severed internet connection to reduce the threat to the city's systems.
Nearly two weeks after Ginther unplugged the city from the internet, two officers with the Columbus Division of Police came forward on July 31 saying their bank accounts were hacked.
The two sources said an unspecified amount of money was taken from the accounts. The mayor's office did not comment at the time but said it is aware of the reports.
On Aug. 1, a hacker group came forward claiming responsibility for the attack and demanding nearly $2 million in ransom for the data. The hacker group released screen captures of data to prove they have the city's sensitive data. It shows security camera footage and dispatching information, along with tables of employee data they claim to have.
So far, at this point, it appeared that Columbus police employees' information was the most at risk.
Many Columbus police officers closed out their current banking accounts and asked the city to pay them by paper check instead of direct deposit to secure their new accounts.
The city began offering free credit minoring to its employees the next day, Aug. 2. Ginther’s office confirmed earlier that week that a foreign cyber threat actor attempted to disrupt the city's IT infrastructure to deploy ransomware and solicit a ransom payment from the city.
The hacker group holding the city's data for ransom claimed on Aug. 7 that they had published about 45% of it and threatened to release more if the city didn't pay the ransom by the following morning. However, Ginther's office said there is no evidence that data has been published.
Ginther's office confirmed they are aware of the claims that data has been published and added the links are broken but would not comment any further about possible negotiations.
A law firm representing two police officers filed a class action lawsuit on Aug. 9 against the city of Columbus alleging that the city failed to protect highly sensitive data. The lawsuit was later amended to include any resident who was affected by the breach.
Ginther provided an update on the city’s ongoing battle with a cyberattack on Aug. 13, saying the data stolen by hackers was either corrupted or encrypted, meaning it was likely useless.
According to a fact sheet published by the city Tuesday, the data posted to the dark web by ransomware group Rhysida contained corrupted and encrypted information from city backup files.
A cybersecurity expert revealed to 10TV what personal information was available on the dark web later that day.
Cybersecurity expert Connor Goodwolf, which is a name he chose for the interview and is not his legal name, said anyone who swiped their driver's license at city hall in the last 10 years could be on the dark web. He said the leaked data also included anyone who has dealt with the Columbus City Attorney's Prosecuting Office in any way, including victims, suspects or someone who was subpoenaed by the court or law enforcement.
10TV's Lacey Crisp asked Ginther if he lied about the extent of his knowledge of the information that had been leaked, and he gave a resounding, "No."
"I shared the best information I had at the time based on reports and confirmation from cybersecurity experts. Obviously, what we have learned since then is continuing on our investigation and what is possibly out there, who has access to it," he said.
On Aug. 16, the city expanded the free credit monitoring to all residents impacted by the cyberattack.
On Aug. 17, more than two weeks after the hacker group demanded a ransom, Ginther confirmed that “personally identifiable information” was leaked on the dark web. He also confirmed that data, such as information on criminals, victims of crime and witnesses, from the city prosecutor's office was leaked. Ginther added that more personal information may have been accessed and could be published on the dark web.
10TV learned on Aug. 19 that a second city database was hacked, this included thousands of incident reports from the Columbus Division of Fire and information from people who visited any of the four city buildings since 2006: City Hall, 77 N. Front St., 111 N. Front St. or the Beacon building.
Representing both city police and firefighters, the new lawsuit explains the financial impacts to just a few first responders. The lawsuit asks the city to fully and accurately disclose the nature of the information that has been compromised and to adopt sufficient security practices and safeguards to prevent incidents like the data breach described herein in the future.
On Aug. 28, 10TV learned from Goodwolf about sensitive police information that was leaked on the dark web in the data breach. Goodwolf said that information from the Columbus police crime matrix is available, which includes witness, victim and suspect information from any police report in the last 10 years. It also details the names and details of undercover officers.