COLUMBUS, Ohio — As we learn more about the cyberattack on the city of Columbus and what data is on the dark web, some are wondering why the city maintained records dating back for decades.
Driver's license data from the EasyLobby system at City Hall has been found on the dark web, some swipes date back to 2006.
“Are we in fact creating a system where we have mass surveillance that creates a huge body of information that as it turns out, if the information were to be obtained by someone nefarious, it could be abused?” said E. Matthew Curtin, founder of Interhack Corp.
RELATED: Full timeline shows how Columbus cyberattack played out
The city has a public records retention schedule that explains how long it must maintain certain records. The city holds onto many records until it is deemed obsolete, which some cybersecurity experts say puts the city at risk.
“When you are talking about public agencies, you are now dealing with public records. In that case the interests of the citizens is very different when you are talking about agencies doing work on their behalf,” Curtin said.
Curtin argues public records should be maintained for decades, but not necessarily online and linked to other data.
“The question also comes up: How long does it need to stay online? Does it need to be accessible right now? Does it need to be in a database that you can search today, or does it need to be somewhere we can get to, but we have to go into a vault to get to?” Curtin said.
He argues that data, like the driver's license information, that is not public could still be maintained but in an archive so that it is not at risk during an incident like a cybersecurity attack.
“When we are talking particular classes of information, there are different approaches for that, which would include things like segmentation and compartmentalization that it does not follow that someone who has access to one system has to access to other systems,” Curtin said.
In a statement, Columbus Mayor Andrew Ginther's office said, "Mayor Ginther is committed to continuous improvement. The city's incident response to the cybersecurity attack will certainly identify opportunities to revise existing protocols to further protect the city's data and IT infrastructure."
The city is urging anyone who has not done so yet, to sign up for free creditor monitoring the city is offering.