The Brazen Attack On A Data Breach Whistleblower By The City Of Columbus

Thank you for supporting The Dissenter Newsletter. The following article is published exclusively for paid subscribers.

A cybersecurity specialist exposed false statements made by the city of Columbus, Ohio, about a ransomware attack, which compromised the personal data of hundreds of thousands of people. Embarrassed city officials sued the whistleblower and further silenced them with a restraining order. 

On July 18, the city of Columbus was targeted by an international ransomware group. All city systems were shut down to try and prevent the group from holding data hostage.

Rhysida took credit for stealing “6.5 terabytes of databases including logins and passwords, servers with emergency service applications, and city video camera footage,” according to a local NPR news affiliate.  

Nearly a month later, on August 15, Columbus Mayor Andrew Ginther told reporters, “None of our employees data, none of them were put at risk. And based on what we know at this point, all of the information that was taken was encrypted or corrupted, which makes it unusable.”

But David L. Ross Jr.,  an expert on cybersecurity who goes by “Connor Goodwolf,” challenged the mayor’s claim about the "unusability" of the data.

According to The Columbus Dispatch, Goodwolf located the stolen data, analyzed the information, and “found the names, addresses, birth dates, driver's license numbers, and Social Security numbers of more than 470,000 people in Columbus and outside of the state of Ohio - including himself.”

Goodwolf also identified the names of undercover police officers and “the names of domestic violence and sexual assault victims and juveniles, who are either victims or suspects in crimes.” He uncovered “the names of people who visited city hall." He found “server records and documents belonging to City Attorney Zach Klein’s office”—the office which later sued him. 

More from The Columbus Dispatch’s report:

"This data could be used for a lot of unlawful purposes," said Goodwolf. "I can create a CashApp account, open a utility account, or even shut off someone's utilities." Goodwolf also noted that since the names and addresses of domestic violence victims have been exposed, this could leave them open to being extorted.

Goodwolf estimated that only 25 percent of the stolen data was still encrypted.

The next day the city of Columbus announced that they would offer free “credit monitoring” to “all city residents and other impacted individuals,” a service that was initially extended to only current and former city employees. 

Goodwolf clearly uncovered details about the severity of the data breach leak that were unknown to city officials. The city had provided little transparency when it came to answering questions about the ransomware attack. Officials were humiliated, and to shift the narrative away from this embarrassment, they retaliated. 

Ross informed The Columbus Dispatch when he was first sued that the city had accused him of fueling “unrest,” accessing a “law enforcement system,” and engaging in “privacy violations.”

On August 29, a county judge granted the city’s request for a temporary restraining order.

City Attorney Zach Klein insisted that the lawsuit against Goodwolf was not an attack against a whistleblower or freedom of expression.

“[This is] about the actual action of going on the keyboard, going into the dark web, gathering information, downloading it to your computer and then disseminating to people that are in the press and otherwise," Klein stated. "This [in] effect is to get him to stop downloading and disclosing stolen criminal records to protect public safety.”

As the city attorney put it, Goodwolf had used his "sophisticated" knowledge to go on the “dark web” and download files containing the names of police and “pending cases that involve suspects and witnesses.” 

Aaron Mackey, a free speech and transparency litigation director for the Electronic Frontier Foundation, countered, “It doesn’t take any sophistication or vast technical knowledge to access that. You can actually use a Google search to download a browser called Tor, which stands for ‘the onion router,’ and it allows you to actually access a lot of this material online. So it’s as sophisticated as downloading an app on your phone.”

“It clearly violates his First Amendment rights to make sure that the public understands and is informed on this very significant privacy breach that is the result of what sounds like the city’s own inaction or inability to properly secure its data,” Mackey further asserted. “Rather than thank this individual for coming forward and actually explaining to the public that this is a significant problem, the city has [resorted] to basically violating his First Amendment rights and claiming that what he’s done is some sort of illegal act.”

Amelia Robinson, who is The Columbus Dispatch’s opinion and community engagement editor, condemned the city’s lawsuit against a whistleblower.

“We did not and would not have known we needed anything to be protected from if not for Goodwolf telling the media about the dangers facing the public,” Robinson declared. “Where Goodwolf has been detailed, the city has been vague and defensive.” 

Robinson added, “[The public] would not have known the extent of the breach if Goodwolf—‘big, bad’ whistleblower—had not exercised free speech to reveal it to the media. Victims of the cyberattack like me would not have known to take protective action.”

The city of Columbus will most likely be counter-sued by Ross for violating his First Amendment rights, and officials should be hauled into court to answer for this stunning act of whistleblower retaliation.