Dark web expert warned US city of major hack, city sues

Ransomware has long plagued American municipalities. It appeared to be a typical ransomware attack that struck the city of Columbus, Ohio, last July. The city’s response to the hack, however, was less than positive, and cybersecurity and legal experts across the country are questioning its motives.

Connor Goodwolf (legal name David Leroy Ross) is an IT consultant who searches the dark web as part of his job. “I track dark web-type crimes, criminal organizations, things like what the CEO of Telegram got arrested for,” Goodwolf said.

So when news broke that his hometown of Columbus had been hacked, Goodwolf did what he always does: He went online and snooped. It didn’t take long for him to discover what the hackers had in their possession.

“It wasn’t the biggest, but it was one of the most significant breaches I’ve ever seen,” Goodwolf said.

In some ways, he described it as a routine breach, exposing personally identifiable information, protected health information, Social Security numbers and driver’s license photos. But because multiple databases were compromised, it was more comprehensive than other attacks. According to Goodwolf, the hackers compromised multiple databases for the city, the police department and the state attorney general’s office. There were arrest records and sensitive information about minors and victims of domestic violence. Some of the compromised databases, he said, went back to 1999.

Goodwolf found over three terabytes of data, which took over 8 hours to download.

“The first thing I look at is the prosecutor’s database, and I’m like, ‘Holy shit, these are victims of domestic violence. When it comes to victims of domestic violence, we need to protect them the most because they’ve been victims before, and now they’re victims again because their information has been made public,” he said.

Goodwolf’s first action was to contact the city to let them know how serious the breach was, because what he was seeing contradicted official statements. At a press conference on August 13, Columbus Mayor Andrew Ginther said, “The personal data that the threat actor published on the dark web was encrypted or corrupted, so the majority of the data that was provided by the threat actor is unusable.”

But what Goodwolf discovered did not support that view. “I tried to contact the city multiple times, multiple departments, and was turned down,” he said.

Google-owned Mandiant and many other leading cybersecurity firms have seen a continued increase in ransomware attacks, both in prevalence and severity. The Rhysida Group, responsible for the Columbus hack, has also risen to prominence over the past year.

The Rhysida Group claimed responsibility for the hack. While not much is known about the cyber gang, Goodwolf and other security experts say they appear to be state-sponsored and based in Eastern Europe, possibly linked to Russia. Goodwolf says these ransomware gangs are “professional operations” with staff, paid vacations and PR people.

“They have been ramping up the attacks and targeting since last fall,” he said.

The U.S. government’s Cybersecurity and Infrastructure Security Agency published a bulletin about Rhysida last November.

Goodwolf said that because no one from the city responded to him, he went to the local media and shared information with reporters to spread the word about the severity of the violation. That’s when he heard from the city of Columbus, in the form of a lawsuit and a temporary restraining order preventing him from releasing any additional information.

The city defended its response in a statement to CNBC:

“The City initially filed a motion seeking this order, which was granted by the court, to prevent the dissemination of sensitive and confidential information, including potentially the identities of undercover officers, that would jeopardize public safety and criminal investigations.”

The city’s 14-day temporary restraining order against Goodwolf has now expired and there is now a preliminary injunction and an agreement with Goodwolf not to release any further information.

“It should be noted that the court order does not prohibit the defendant from discussing the data breach or even describing what type of data was exposed,” the city’s statement added. “It simply prohibits the individual from distributing the stolen data that was posted on the dark web. The city continues to engage with federal authorities and cybersecurity experts to respond to this cyber intrusion.”

Meanwhile, the mayor was forced to issue a mea culpa at a subsequent press conference, saying his initial statements were based on the information he had at the time. “It was the best information we had at the time. We have clearly discovered that it was incorrect information and I have to accept responsibility for that.”

The city recognizes that the exposure to residents is greater than previously thought and is therefore offering two years of free credit monitoring from Experian to anyone who has had contact with the city of Columbus through an arrest or other matters. Columbus is also working with Legal Aid to determine what additional protections are needed for victims of domestic violence who may have been compromised or need assistance with civil protection orders.

To date, the city has not paid the hackers, who demanded a $2 million ransom.

“He’s not Edward Snowden”

Students studying cybersecurity law and working in the field were surprised that Columbus filed a civil lawsuit against the researcher.

“Lawsuits against researchers in the data security field are rare,” said Raymond Ku, a law professor at Case Western Reserve University. In the rare cases that they do occur, it’s usually when the researcher has allegedly disclosed how a flaw was or could be exploited, allowing others to profit from the flaw as well.

“He was not Edward Snowden,” said Kyle Hanslovan, CEO of cybersecurity firm Huntress, who described himself as troubled by the city of Columbus’s response and what it could mean for future breaches. Snowden was a government contractor who leaked classified information and faced criminal charges, but considered himself a whistleblower. Goodwolf, Hanslovan said, is a good Samaritan who independently found the leaked data.

“In this case, it appears that we have silenced someone who, as far as I can tell, appears to be a security researcher who did the bare minimum and confirmed that the official statements were not true. This cannot possibly be an appropriate use of the courts,” Hanslovan said, predicting that the case will soon be overturned.

Columbus City Attorney Zach Klein said at a September press conference that the case “was not about free speech or whistleblowing. This is about the downloading and disclosure of stolen criminal investigation data.”

Hanslovan worries about the domino effect of cybersecurity consultants and researchers being afraid to do their jobs for fear of being sued. “The bigger story here is that we’re seeing the emergence of a new playbook” for hacking response that silences individuals, and that shouldn’t be welcome, he said. “Silencing any voice, even for 14 days, could be enough to prevent anything credible from coming to light, and that scares me,” Hanslovan said. “That voice needs to be heard. As we start to see larger cybersecurity incidents emerge, I worry that people are going to be more concerned about bringing it to light.”

Scott Dylan, founder of British venture capital firm NexaTech Ventures, also believes the city of Columbus’s actions could have a chilling effect on the cybersecurity industry.

“As cyber law continues to evolve, this case will likely come up again in future discussions about the role of investigators in data breaches,” Dylan said.

He said legal frameworks must evolve to keep pace with the complexity of cyberattacks and the ethical dilemmas they pose, and that Columbus’ approach is a mistake.

Meanwhile, Goodwolf’s legal process will continue. Despite Columbus and Goodwolf reaching an agreement last week to disseminate information, the city is still suing him for damages in a civil lawsuit that could cost up to $25,000 or more. Goodwolf is representing himself in his discussions with the city, but says he has an attorney on standby if needed.

Some residents have filed a class-action lawsuit against the city. Goodwolf says 55% of the leaked information was sold on the dark web, while 45% is available to anyone with the skills to access it.

Dylan believes the city is taking a huge risk, even if its actions are legally defensible, by appearing to be trying to silence discourse rather than encourage transparency. “It’s a strategy that could backfire, both in terms of public trust and future litigation,” he said.

“I hope the city sees the error of its ways in filing a civil lawsuit and the implications beyond just security,” Goodwolf said, noting that Intel is building a $1 billion facility in a Columbus suburb. In recent years, the city has positioned itself as a new tech hub in the Midwest, and attacks on white hats and cybersecurity researchers, he said, could cause some in the tech sector to reconsider it as a location.