COLUMBUS, Ohio — Columbus Mayor Andrew Ginther on Saturday publicly addressed the cybersecurity attack that has been impacting the city since July.
Ginther's office said that on July 18, the city's technology department found evidence of an abnormality in its system. Once the threat was identified, the department severed the internet connection to reduce the threat to the city's systems.
Investigators initially believed that the cybersecurity incident happened from an email link, but later discovered that the threat actor gained access to the city’s system through a website download.
During his press briefing, Ginther confirmed that “personally identifiable information” was leaked on the dark web. He also confirmed that data, such as information on criminals, victims of crime and witnesses, from the city prosecutor's office was leaked.
Ginther added that more personal information may have been accessed and could be published on the dark web.
Cybersecurity experts told 10TV that the affected citizens are anyone who swiped their driver's license at City Hall in the last 10 years. It also includes anyone who has dealt with the Columbus City Attorney's Office in any way, including victims, suspects or someone who was subpoenaed by the court or law enforcement.
In previous interviews, Ginther said he was aware of reports of city and personal data being leaked on the dark web. At the time, he said the files were corrupted or encrypted, making them "totally unusable."
On Saturday, the mayor said the answer he received then was the "best information we had at the time" and claimed responsibility for sharing it in interviews.
"Clearly, we discovered that it was inaccurate information and I have to accept responsibility for that," he said.
Ginther added that the cyberattack is a complex situation and an ongoing investigation. He also assured that he would be transparent and honest with the public about the findings.
“My number one job is to do everything I can to protect the residents of Columbus,” he said.
On Aug. 2, the city announced it was offering its employees credit monitoring as a precautionary action while they continue to investigate the incident. On Friday, the service was expanded to include all citizens impacted by the cyberattack.
Two Columbus-based law firms filed an amended complaint expanding the class action lawsuit against the city as the repercussions of a ransomware attack continue to unfold.
Cooper Elliott and Meyer Wilson filed a class action lawsuit against the city earlier this month on behalf of two police officers, alleging that the city failed to protect sensitive data following the cyberattack.
When the lawsuit was first filed, the plaintiffs included city employees affected by the data breach. The amended complaint now includes any resident who is affected.