Cybersecurity Researcher Faces Legal Battle Over Ransomware Leak
The city of Columbus, Ohio, has filed a lawsuit against cybersecurity researcher David Leroy Ross, known as Connor Goodwolf. He is accused of illegally downloading and distributing data stolen from the city’s IT network following an attack by the Rhysida ransomware group.
On July 18, Columbus, the largest city in Ohio, suffered a ransomware attack that disrupted city services and communications between institutions. By the end of July, city officials stated that while the systems had not been encrypted, there may have been a data breach. The Rhysida group claimed to have stolen 6.5 terabytes of data, including personal information of employees and recordings from city cameras.
On August 8, after a failed extortion attempt, the attackers released 45% of the stolen data. Among the leaked files were database backups containing information collected by the police and prosecutor’s office since 2015, including details about undercover officers.
Columbus Mayor Andrew Ginther initially asserted that the leaked data was of no value and could not be used. However, Goodwolf refuted this, pointing out the presence of unencrypted personal information of city residents in the leaked data. According to media reports, the leaked information included the names of individuals involved in domestic violence cases as well as Social Security Numbers (SSNs) of police officers and crime victims. The breach affected not only government employees but also exposed personal information of residents and visitors over the past several years.
In its lawsuit, the city accuses Goodwolf of negligence and unlawful actions that have sparked public outcry. Authorities also claim that access to the data was restricted and required specific skills to locate and download from the dark web. The government further noted that the dissemination of the data hinders the investigation of crimes. Columbus is seeking a ban on further distribution of the data and damages exceeding $25,000. The city attorney emphasized that the lawsuit is aimed at preventing the spread of the stolen information, not at restricting freedom of speech.
