Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack
(2024/11/04)
- Reference: 1730739667
- News link: https://www.theregister.co.uk/2024/11/04/columbus_rhysida_ransomware/
- Source link:
The City of Columbus, Ohio, has confirmed half a million people's data was accessed and potentially stolen when Rhysida's ransomware raided its systems over the summer.
In fact, the city noted in a filing that the number of people potentially affected was 500,000 exactly, an oddly round number for data break-in disclosures of this kind.
It's the first time Columbus has confirmed the scale of the ransomware attack and associated data exposure. Rhysida said it dumped around 3 TB worth of stolen files on its blog after failing to net an extortion payment from the city, but as ever with these things, it's difficult to comb through all these records to determine exactly how many people were caught up in the attack.
[1]
That said, we only know the scale because of the [2]filing with Maine's attorney general. The letters sent to the potentially affected individuals, which were delivered on or around October 7, did not mention the number of other victims or detail the nature of the data that's now said to be accessible via the [3]dark web .
[4]
[5]
As ever with ransomware leaks, there is likely to be some variation when it comes to the types of data exposed to the criminals, but Columbus reckons the following personal information comprise the main ones:
First and last names
Dates of birth
Home addresses
Bank account information
Driver's licenses
Social Security Numbers
Other identifying information concerning residents and/or their interactions with the City
Perhaps more concerning was the source of the stolen data, however. Data points are one thing, but when these are combined with the specific source, they can reveal much more than just a name, for example.
Security researcher Connor Goodwolf, whose legal name is David Leroy Ross, previously told [6]CNBC that after downloading the 3 TB file from [7]Rhysida , he found signs that the database belonging to the city's prosecutor was one of the sources of stolen data.
Goodwolf said one of the first observations he made was that domestic violence victims were among the 500,000 affected individuals ( The Register has not downloaded or reviewed the files to verify this). It goes without saying that if those victims had their names and home addresses leaked, their safety could be put in grave danger.
[8]
Columbus sued Goodwolf following his remarks on the incident. It's rarely a good look when ransomware victims sue security researchers over their work, although the city said this was only done to prevent Goodwolf from disseminating the stolen data, which the complaint alleges he threatened to do.
[9]Rhysida ransomware gang ships off Port of Seattle data for $6M
[10]Five months after takedown, LockBit is a shadow of its former self
[11]Ransomware crews investing in custom data stealing malware
[12]British Library's candid ransomware comms driven by 'emotional intelligence'
The civil [13]complaint [PDF] made by the city confirmed the prosecutor's backup database was accessed, as was the backup crime database, which includes details of misdemeanor crimes dating back to 2015.
"This data would potentially include sensitive personal information of police officers, as well as the reports submitted by arresting and undercover officers involved in the apprehension of the persons charged criminally by the City prosecutor's office," the complaint reads.
"These databases also contain the personal information of crime victims of all ages, including minors, and witnesses to the crimes the City prosecuted from at least 2015 to the present."
None of this was included in the letter sent to victims, although it was alluded to in an August [14]press conference .
[15]
Mayor Andrew Ginther was criticized by attendees for backtracking on earlier statements suggesting no data was compromised in the incident, only for him to reveal that, in fact, highly sensitive data was indeed stolen and leaked.
It's worth noting, though, that data leak investigations can take time to determine with certainty the nature and scope of the incident. It's understandable that the mayor didn't want to raise any alarm unnecessarily, but after refusing to pay the criminals, it could be argued the city should have warned that the leaking of data was a possibility.
Although the letter fell short of outlining the sensitive nature of the attack, it does state, however, that the city has no evidence suggesting the stolen data was misused in any way.
Local media [16]reporting soon after the July 18 attack noted that a number of city staff had their bank accounts broken into following the [17]ransomware attack, but a link between the two has not been officially established.
In a slightly unusual move, around the same time as these reports, the city offered all Columbus residents and victims of Rhysida's damage 24 months' worth of Experian credit monitoring. Typically this is offered to the victims only.
"I'm angry and concerned that the city and our residents are victims of this cyberattack," said Ginther at the time. "My priority is to do everything we can to protect the residents of our city. That is why we are extending two years of free Experian credit monitoring to all of our residents to help protect them from potential fraud or identity theft." ®
Get our [18]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZylSGNFJjItPH3TcefDRogAAANE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/bb45501f-6f7c-40e1-916c-97cc4079b399.html
[3] https://www.theregister.com/2024/10/10/cannabia_bohemia_darkweb_market_investigation/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZylSGNFJjItPH3TcefDRogAAANE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZylSGNFJjItPH3TcefDRogAAANE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.cnbc.com/2024/09/15/dark-web-expert-warned-us-hometown-about-big-hack-the-city-is-suing.html
[7] https://www.theregister.com/2024/09/17/rhysida_port_of_seattle/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZylSGNFJjItPH3TcefDRogAAANE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2024/09/17/rhysida_port_of_seattle/
[10] https://www.theregister.com/2024/07/31/five_months_after_lockbit/
[11] https://www.theregister.com/2024/07/10/ransomware_data_exfil_malware/
[12] https://www.theregister.com/2024/05/20/the_british_library_owes_lauded/
[13] https://www.nbc4i.com/wp-content/uploads/sites/18/2024/08/Complaint-240829.pdf
[14] https://www.youtube.com/watch?v=BUA3BRVGkas&ab_channel=CityofColumbus
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZylSGNFJjItPH3TcefDRogAAANE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://www.youtube.com/watch?v=JULYOMYGFqM
[17] https://www.theregister.com/2024/10/15/microsoft_ransomware_attacks/
[18] https://whitepapers.theregister.com/
In fact, the city noted in a filing that the number of people potentially affected was 500,000 exactly, an oddly round number for data break-in disclosures of this kind.
It's the first time Columbus has confirmed the scale of the ransomware attack and associated data exposure. Rhysida said it dumped around 3 TB worth of stolen files on its blog after failing to net an extortion payment from the city, but as ever with these things, it's difficult to comb through all these records to determine exactly how many people were caught up in the attack.
[1]
That said, we only know the scale because of the [2]filing with Maine's attorney general. The letters sent to the potentially affected individuals, which were delivered on or around October 7, did not mention the number of other victims or detail the nature of the data that's now said to be accessible via the [3]dark web .
[4]
[5]
As ever with ransomware leaks, there is likely to be some variation when it comes to the types of data exposed to the criminals, but Columbus reckons the following personal information comprise the main ones:
First and last names
Dates of birth
Home addresses
Bank account information
Driver's licenses
Social Security Numbers
Other identifying information concerning residents and/or their interactions with the City
Perhaps more concerning was the source of the stolen data, however. Data points are one thing, but when these are combined with the specific source, they can reveal much more than just a name, for example.
Security researcher Connor Goodwolf, whose legal name is David Leroy Ross, previously told [6]CNBC that after downloading the 3 TB file from [7]Rhysida , he found signs that the database belonging to the city's prosecutor was one of the sources of stolen data.
Goodwolf said one of the first observations he made was that domestic violence victims were among the 500,000 affected individuals ( The Register has not downloaded or reviewed the files to verify this). It goes without saying that if those victims had their names and home addresses leaked, their safety could be put in grave danger.
[8]
Columbus sued Goodwolf following his remarks on the incident. It's rarely a good look when ransomware victims sue security researchers over their work, although the city said this was only done to prevent Goodwolf from disseminating the stolen data, which the complaint alleges he threatened to do.
[9]Rhysida ransomware gang ships off Port of Seattle data for $6M
[10]Five months after takedown, LockBit is a shadow of its former self
[11]Ransomware crews investing in custom data stealing malware
[12]British Library's candid ransomware comms driven by 'emotional intelligence'
The civil [13]complaint [PDF] made by the city confirmed the prosecutor's backup database was accessed, as was the backup crime database, which includes details of misdemeanor crimes dating back to 2015.
"This data would potentially include sensitive personal information of police officers, as well as the reports submitted by arresting and undercover officers involved in the apprehension of the persons charged criminally by the City prosecutor's office," the complaint reads.
"These databases also contain the personal information of crime victims of all ages, including minors, and witnesses to the crimes the City prosecuted from at least 2015 to the present."
None of this was included in the letter sent to victims, although it was alluded to in an August [14]press conference .
[15]
Mayor Andrew Ginther was criticized by attendees for backtracking on earlier statements suggesting no data was compromised in the incident, only for him to reveal that, in fact, highly sensitive data was indeed stolen and leaked.
It's worth noting, though, that data leak investigations can take time to determine with certainty the nature and scope of the incident. It's understandable that the mayor didn't want to raise any alarm unnecessarily, but after refusing to pay the criminals, it could be argued the city should have warned that the leaking of data was a possibility.
Although the letter fell short of outlining the sensitive nature of the attack, it does state, however, that the city has no evidence suggesting the stolen data was misused in any way.
Local media [16]reporting soon after the July 18 attack noted that a number of city staff had their bank accounts broken into following the [17]ransomware attack, but a link between the two has not been officially established.
In a slightly unusual move, around the same time as these reports, the city offered all Columbus residents and victims of Rhysida's damage 24 months' worth of Experian credit monitoring. Typically this is offered to the victims only.
"I'm angry and concerned that the city and our residents are victims of this cyberattack," said Ginther at the time. "My priority is to do everything we can to protect the residents of our city. That is why we are extending two years of free Experian credit monitoring to all of our residents to help protect them from potential fraud or identity theft." ®
Get our [18]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZylSGNFJjItPH3TcefDRogAAANE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/bb45501f-6f7c-40e1-916c-97cc4079b399.html
[3] https://www.theregister.com/2024/10/10/cannabia_bohemia_darkweb_market_investigation/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZylSGNFJjItPH3TcefDRogAAANE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZylSGNFJjItPH3TcefDRogAAANE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.cnbc.com/2024/09/15/dark-web-expert-warned-us-hometown-about-big-hack-the-city-is-suing.html
[7] https://www.theregister.com/2024/09/17/rhysida_port_of_seattle/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZylSGNFJjItPH3TcefDRogAAANE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2024/09/17/rhysida_port_of_seattle/
[10] https://www.theregister.com/2024/07/31/five_months_after_lockbit/
[11] https://www.theregister.com/2024/07/10/ransomware_data_exfil_malware/
[12] https://www.theregister.com/2024/05/20/the_british_library_owes_lauded/
[13] https://www.nbc4i.com/wp-content/uploads/sites/18/2024/08/Complaint-240829.pdf
[14] https://www.youtube.com/watch?v=BUA3BRVGkas&ab_channel=CityofColumbus
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZylSGNFJjItPH3TcefDRogAAANE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://www.youtube.com/watch?v=JULYOMYGFqM
[17] https://www.theregister.com/2024/10/15/microsoft_ransomware_attacks/
[18] https://whitepapers.theregister.com/
Re: Have we not learned anything?
Will Godfrey
WE have learned that the bastards lie through their teeth.
THEY have learned that they can get away with just about anything without significant consequences.
Re: Have we not learned anything?
An_Old_Dog
I'd give you a million upvotes for this, if I could.
Have we not learned anything?
Don't store info you don't need. Ideally don't collect info you don't need, but this is govt.
So check a driving record on hiring but don't store the license on a live system afterwards.
If you need to check SSN don't store it, or store a hash and ask people for it again if you need to verify. And ffs stop assuming knowing your SSN proves identity.
And if you must store data - silio it. The receptionist who clicked on a spam link shouldn't have full access to every field in every database and every file share.
This goes double for bosses, the higher up the tree you are - the less data you NEED direct access to.
Strangely this should have been obvious to high school kids 20 years ago so it's not like this is a "workplace boomers don't understand computers" thing