Anamika Dey, editor
Brief news
- Columbus, Ohio, faced a significant ransomware attack in July, exposing sensitive data, including personal and health information, leading to concerns about the city’s inadequate response and transparency.
- IT consultant Connor Goodwolf discovered over three terabytes of compromised data and attempted to alert the city, but faced legal action for sharing information, raising alarms about the treatment of cybersecurity researchers.
- The city’s actions have sparked discussions about the implications for cybersecurity practices and researchers, with experts warning that suppressing information could deter future reporting of breaches and damage public trust.
Detailed news
For an extended period, American municipalities have been plagued by ransomware. The city of Columbus, Ohio, was the target of yet another standard ransomware attack in July of this year. Nevertheless, the city’s response to the breach was inadequate, prompting cybersecurity and legal professionals nationwide to doubt its intentions.
Connor Goodwolf, whose legal name is David Leroy Ross, is an IT consultant who is responsible for exploring the dark web as part of his employment. “I monitor criminal organizations, dark web crimes, and incidents similar to those that resulted in the arrest of the Telegram CEO,” Goodwolf stated.
Therefore, upon learning that Columbus, his hometown, had been breached, Goodwolf, as is his custom, conducted an online investigation. It was not difficult for him to ascertain the contents of the hackers’ possessions.
The breach was not the largest, but it was one of the most significant intrusions I have observed, according to Goodwolf.
He characterized it as a routine compromise in some respects, as personal identifiable information, protected health information, Social Security numbers, and driver’s license photos were exposed. Nevertheless, it was more comprehensive than other attacks due to the compromise of multiple databases. The hackers had compromised numerous databases from the city, the police, and the prosecutor’s office, as per Goodwolf. Arrest records and sensitive information regarding domestic violence victims and minors were present. He claims that some of the databases that were compromised date back to 1999.
Goodwolf discovered more than three terabytes of data, which required more than eight hours to retrieve.
“The prosecutor’s database is the initial item I observe, and I am taken aback by the fact that these are victims of domestic violence.” He stated that the protection of domestic violence victims is of the utmost importance, as they have already been victimized and are now being victimized again by having their information exposed.
Goodwolf’s initial response was to notify the city of the severity of the intrusion, as his observations contradicted official statements. During a press conference on August 13, Columbus Mayor Andrew Ginther stated that the majority of the personal data that the threat actor published to the dark web was either encrypted or corrupted. Consequently, the data is unusable.
However, the evidence that Goodwolf was accumulating did not substantiate that perspective. “I attempted to contact the city on numerous occasions, contacting various departments, but I was unsuccessful,” he stated.
Mandiant, a cybersecurity firm owned by Google, and numerous other prominent firms have been monitoring the ongoing rise of the Rhysida Group, which is responsible for the Columbus exploit that has gained popularity in the past year, as well as the prevalence and severity of ransomware attacks.
Responsibility for the breach was asserted by the Rhysida Group. Although the cyber gang is not well-known, Goodwolf and other security specialists suspect that it is state-sponsored and headquartered in Eastern Europe, potentially with ties to Russia. Goodwolf claims that these ransomware organizations are “professional operations” that boast a staff, paid vacation, and public relations personnel.
“They have increased the frequency of attacks and targets since last autumn,” he stated.
In November of last year, the Cybersecurity and Infrastructure Security Agency of the United States government released a bulletin regarding Rhysida.
According to Goodwolf, he reached out to the local media and provided journalists with data to inform them of the severity of the breach after receiving no response from the city. At that time, the city of Columbus issued a lawsuit and a provisional restraining order to prohibit him from disseminating any further information.
In a statement to CNBC, the city defended its response:
“The City initially sought this order, which was granted by the Court, to prevent the dissemination of sensitive and confidential information, which could include the identities of undercover police officers, and that could jeopardize public safety and criminal investigations.” ”
The city’s provisional 14-day restraining order against Goodwolf has since expired, and it now has a preliminary injunction and an agreement with Goodwolf not to disclose any additional data.
The city’s statement also stated that the Court order does not prevent the defendant from discussing the data compromise or describing the type of data that was exposed. “It merely forbids the individual from distributing the stolen data that has been posted on the dark web.” The City continues to collaborate with federal authorities and cyber security professionals in order to address this cyber intrusion.
In the interim, the mayor was required to deliver a mea culpa at a subsequent press conference, stating that his initial statements were predicated on the information available at the time. “It was the most comprehensive information we had at the time.” It is evident that we discovered that the information was inaccurate, and I must assume culpability for this.
The city has issued an offer of two years of complimentary credit monitoring from Experian, as it has come to the realization that the exposure to residents was greater than initially anticipated. This encompasses all individuals who have interacted with the city of Columbus through an arrest or other affairs. Columbus is also collaborating with Legal Aid to determine the necessary additional safeguards for domestic violence victims who may have been compromised or require assistance with civil protection orders.
The hackers, who were demanding $2 million in ransom, have not yet been paid by the city.
“He is not Edward Snowden.”
Columbus’ filing of a civil complaint against the researcher caught the attention of those who specialize in cybersecurity law and are employed in the field.
Raymond Ku, a professor of law at Case Western Reserve University, stated that lawsuits against data security researchers are exceedingly uncommon. In the rare event that they do occur, he stated, it is typically when the researcher is accused of disclosing how a flaw was or can be exploited, thereby enabling others to exploit the flaw as well.
Kyle Hanslovan, CEO of cybersecurity company Huntress, expressed his concern regarding the city of Columbus’s response and its potential implications for future intrusions, stating, “He was not Edward Snowden.” Snowden was a government contract employee who disclosed classified information and faced criminal charges. Despite this, he regarded himself as a whistleblower. Hanslovan asserts that Goodwolf is a Good Samaritan who independently discovered the breached data.
“In this instance, it seems that we have successfully silenced an individual who, as far as I can ascertain, is a security researcher who performed the minimum amount of work and verified the falsity of the official statements.” Hanslovan predicted that the case would be swiftly overturned, asserting that this is an inappropriate utilization of the courts.
During a press conference in September, Columbus City Attorney Zach Klein stated that the case was not about “freedom of speech or whistleblowing.” This pertains to the disclosure and uploading of criminal investigatory records that have been taken.
Hanslovan is concerned about the potential cascading effect, which involves cybersecurity consultants and researchers being hesitant to perform their duties due to the possibility of being sued. “The more significant issue at hand is whether we are witnessing the emergence of a new playbook for hacking response, in which individuals are silenced, and he believes that this should not be embraced.” “I am frightened by the possibility that the suppression of any opinion, even for a mere 14 days, could prevent the disclosure of something credible,” Hanslovan stated. “It is imperative that that voice be acknowledged.” I am concerned that individuals will become more concerned with reporting larger cybersecurity incidents as they become more prevalent.
Scott Dylan, the founder of NexaTech Ventures, a venture capital firm based in the United Kingdom, also believes that the actions of the city of Columbus could have a debilitating effect on the field of cybersecurity.
Dylan stated that this case is likely to be cited in future discussions regarding the role of researchers in the aftermath of data intrusions as the field of cyberlaw continues to develop.
He asserts that legal frameworks must adapt to the complexity of both intrusions and the ethical dilemmas they produce, and that Columbus’s approach is mistaken.
In the interim, Goodwolf will continue to endure the legal procedure. In spite of the fact that Columbus and Goodwolf reached an agreement last week regarding the dissemination of information, the city is continuing to pursue damages against him in a civil suit that could potentially exceed $25,000. Goodwolf asserts that he is representing himself in his discussions with the city, but he maintains that he has a counsel available in the event that it is necessary.
A class-action lawsuit has been initiated by a number of residents against the city. According to Goodwolf, 55% of the information that was compromised has been sold on the dark web, while 45% is accessible to anyone with the necessary abilities.
Dylan believes that the city is taking a significant risk by presenting the impression that it is attempting to suppress discourse rather than promote transparency, despite the fact that its actions may be legally permissible. “It is a strategy that could have unintended consequences, including potential litigation and public distrust,” he stated.
“I am optimistic that the city will recognize the error of filing a civil suit and the repercussions, which extend beyond security,” Goodwolf stated. He also mentioned that Intel is investing billions in the construction of chipmaking facilities in a Columbus suburb, with substantial federal government assistance. In recent years, the city has been establishing itself as a new technology center in the Midwest’s “Silicon Heartland.” He stated that the recent attacks on white hats and cybersecurity researchers could prompt some in the tech sector to reconsider the city as a location.
Source : CNBC News
