COLUMBUS, Ohio — The City of Columbus has reached a preliminary agreement in its data breach lawsuit against the cybersecurity expert who revealed details of the cyberattack on the city.
City Attorney Zach Klein said they reached an agreement with Connor Goodwolf on Wednesday that protects the sensitive data exposed in the cyberattack from being disseminated, while also allowing Goodwolf to maintain a dialogue with the city regarding the breach. Goodwolf is the name he uses for interviews and is not his legal name.
The agreement does not impact his ability to discuss the cyberattack with members of the media.
"A heartfelt thank you to everyone who has been extremely supportive. I've heard from concerned and caring individuals, ranging from the community at large to those in the cybersecurity, engineering and technology sectors," Goodwolf said. "From the beginning, my goal has been to inform the public and ensure everyone’s safety. I firmly believe individuals impacted by a cybersecurity incident should be informed immediately, rather than waiting months, to know if their personal information has been leaked to the dark web."
According to the agreed preliminary injunction, Goodwolf is prohibited from sharing city data that he obtained, including personal information such as social security numbers, driver's license numbers, bank account information, credit card numbers and other sensitive materials.
“Like many, I remain concerned about anyone having access to this sensitive data, and as this investigation into the cyber intrusion continues, the City Attorney’s Office will continue to keep the best interest of residents, victims, police officers and our city at heart. That remains our top priority," Klein said.
A temporary restraining order was granted against Goodwolf on Aug. 29 after he spoke with several media outlets in the weeks following the city's cyberattack to explain what information was leaked on the dark web.
The city says it first learned something was wrong on July 18 when the city's department of technology "found evidence of an abnormality in its system." The city then severed its connection to the internet.
Two weeks later, the hacker group Rhysida claimed responsibility for the attack, saying it had 6.5 terabytes of data. The group later released 45% of the data it took from the city.
In the lawsuit, the city claimed Goodwolf caused "irreparable harm" and "widespread concern throughout the Central Ohio region."
The city said Goodwolf was threatening to publicly share the city's stolen data in the form of a website that he would create himself. Goodwolf previously told 10TV he does plan to set up a website, but it would only allow people to see if their name was part of the data breach.
As a part of the agreement, Klein's office also agreed to extend the response date to the lawsuit until Oct. 30.
"The recent agreement in the civil case marks a good first step, but the ultimate goal is to have the case dismissed with prejudice. I look forward to future discussions with the City of Columbus to achieve this goal," Goodwolf said.