The City of Columbus, Ohio, recently disclosed a significant data breach that compromised the personal information of around 500,000 residents, nearly half of its population. The cyberattack, launched in July by the Rhysida ransomware group, infiltrated the city’s networks, capturing residents’ sensitive data, including Social Security numbers, banking information, identification documents, and personal addresses.
Although city officials initially stated that they had successfully mitigated the attack, Rhysida later claimed responsibility and alleged that they had extracted 6.5 terabytes of data, some of which they have since released on dark web platforms.
Following the breach, the City attempted to reassure the public, with Mayor Andrew Ginther suggesting that the compromised data might be “corrupted” or “unusable.” However, cybersecurity researcher David Leroy Ross disputed this, showing evidence that unencrypted data was accessible and posted online. In response, Columbus filed a lawsuit against Ross, alleging he was unlawfully sharing the stolen data.
The legal actions underscore the city’s struggle to both contain the spread of leaked information and manage the fallout of the attack, which has already affected hundreds of thousands of Ohio residents.
Why It Matters: The Columbus data breach highlights the growing vulnerabilities in municipal cybersecurity and the immense risks residents face as their personal data is exposed. For a major U.S. city, an attack of this scale signals how even sophisticated responses can be insufficient against ransomware gangs that continue to refine their tactics. Additionally, the disclosure that this data breach was far more extensive than initially suggested—especially given the highly sensitive nature of the information stolen—raises urgent questions about the preparedness of local governments to handle cybersecurity threats.
- Data Breach Scope and Notification: Columbus disclosed that approximately 500,000 residents had their data compromised during a ransomware attack by the Rhysida gang, affecting nearly half of the city’s population. Information stolen included Social Security numbers, banking details, and government-issued identification, which was later leaked on the dark web.
- Initial City Response and Contradictory Claims: City officials initially assured the public that the breach had been “thwarted” and data was unusable due to corruption. However, security researcher David Leroy Ross contested this, revealing unencrypted data samples. This discrepancy raised doubts about the city’s transparency and initial handling of the breach.
- Legal Actions Against the Researcher: Columbus filed a lawsuit against Ross, alleging he was sharing the city’s stolen data. This legal action includes a temporary restraining order to prevent further access and dissemination, underscoring the tension between cybersecurity transparency and control over data breaches.
- Rhysida’s Ransom Demands and Data Leak: Rhysida demanded a ransom of 30 Bitcoin (around $1.9 million at the time) to prevent data leakage. After the city declined payment, the ransomware group began leaking files, with 45% of the data—including employee credentials, city camera feeds, and personal documents—released on their leak portal.
City of Columbus: Data of 500,000 Stolen in July Ransomware Attack – Bleeping Computer