In July, Columbus, Ohio, experienced a ransomware attack, which initially appeared to be a typical breach. However, the city’s unusual response sparked concern among cybersecurity experts and legal professionals. IT consultant David Leroy Ross, also known as Connor Goodwolf, uncovered a significant breach exposing sensitive data from various city databases, including arrest records, domestic violence cases, and personal information.
This attack, carried out by the Rhysida Group, affected the city, police, and prosecutor’s office, with some databases going back to 1999.
Goodwolf, whose expertise involves monitoring dark web activities, discovered that over three terabytes of data had been stolen. Among the exposed data were personal identifiable information, protected health information, and social security numbers. Goodwolf expressed particular concern over the exposure of sensitive information involving minors and domestic violence victims, emphasizing that they were now victimized a second time.
Despite the serious implications, the city’s response appeared to downplay the breach. At a press conference in mid-August, Columbus Mayor Andrew Ginther claimed that the stolen data was encrypted or corrupted, making it largely unusable. Goodwolf, however, contradicted this statement, revealing that the data he found was intact and usable. When he attempted to notify city officials, he was met with resistance and a lack of cooperation.
As a result, Goodwolf turned to the media, which led the city of Columbus to file a lawsuit and secure a temporary restraining order against him. The lawsuit, intended to prevent the further dissemination of sensitive information, raised concerns in the cybersecurity community.
Legal experts pointed out that such lawsuits against data security researchers are uncommon and could have broader implications.
Raymond Ku, a professor of law, noted that lawsuits against researchers typically arise when the disclosure of a vulnerability puts others at risk. However, cybersecurity professionals, such as Kyle Hanslovan, CEO of Huntress, argued that Goodwolf was acting as a responsible researcher. Hanslovan warned that this approach could set a dangerous precedent, silencing individuals who work to expose breaches.
The city defended its actions, stating that it sought to prevent the release of confidential information, including undercover police identities. Although the restraining order expired, Columbus continues its civil lawsuit against Goodwolf, seeking up to $25,000 in damages.
As Columbus works to recover from the attack, the broader implications of its actions toward Goodwolf remain a point of contention. Experts argue that the case highlights the need for a legal framework that balances the protection of sensitive information with the role of security researchers in revealing vulnerabilities. As Columbus strives to position itself as a tech hub, this legal battle could affect its reputation and relationships within the tech industry.