Names of undercover agents, crime victims found on dark web after Columbus data breach

The latest sensitive information leaked from Columbus city databases to the dark web includes names and personal information of undercover police officers and child rape victims.

Cybersecurity expert Connor Goodwolf said a database he was able to download from the dark web, which he called the city attorney’s office’s “matrix crime database,” contains every incident report and arrest report written by officers since mid-2010.

This includes names of officers and victims, personal information such as addresses and social security numbers, names of undercover officers, and summaries of incidents and evidence such as witness and victim statements.

According to Goodwolf, this even includes the names of victims of child abuse and survivors of domestic violence.

“We also talk about information. Victims, suspects, witnesses. That includes (personally identifiable information). That could be name, address, phone number, social security number, employment, employer. That’s all in here,” Goodwolf said.

Goodwolf claims that all of this sensitive data was not properly protected with encryption or what he calls basic cybersecurity techniques. He claims that the only data he has found online with such protections so far is municipal payroll records and medical records.

“I could go on for hours about just this one database. It’s just that this information should have been protected. General security, standard security practices should have been followed,” Goodwolf said.

RELATED: Leaked list shows people banned from Columbus buildings who were deemed a security risk

The Columbus mayor’s office and the city attorney’s office have not yet responded to a request for comment on the latest documents found.

The data leaked online has been traced to the cybercrime group Rhysida, which attempted to spread ransomware after an employee downloaded an infected file, according to the city.

While the city claims it prevented the ransomware from encrypting its files, the group leaked an unknown amount of city data to the dark web.

The case remains pending before state, city, and federal law enforcement agencies.

It was previously announced that the personal data of hundreds of thousands of city residents had been leaked online.

The city offers free credit monitoring to all residents.

Goodwolf said there appear to be a lot of cases that are particularly sensitive in these databases, not just child abuse victims and domestic violence cases, but also things like protective orders.

“This is just so heartbreaking. I’m just. My stomach is just doing somersaults,” Goodwolf said.

Goodwolf said people should take advantage of the free credit monitoring, but also consider other options. He mentioned ideas as simple as changing all passwords, to opening new bank accounts and even considering moving out of Columbus if data on a particularly sensitive crime has been leaked.

The city is already facing class action lawsuits from multiple plaintiffs who claim the city has not done enough to protect their personal information online. These plaintiffs include former and current members of the Columbus Divisions of Police and Fire.

Brian Steel, president of the Fraternal Order of Police Capital City Lodge No. 9, told WOSU he is concerned about the safety of undercover officers in particular.

“These guys are already taking a huge risk. You have to remember these undercover agents, they’re undercover with drug cartels, street gangs, you name it. Organized crime. So, it’s very concerning,” Steel said.

Steel said the fact that child abuse victims’ personal information is on the dark web makes him even more concerned.

“This is stuff that was never meant to be made public because it’s so horrific. The details, some of these crimes, it’s just disgusting,” Steel said.

Steel said if it is the case that the data was not encrypted, he expects the city to be held responsible.

““If that is the case and the city is neglecting its basic duty to protect the public, to protect victims of crime, to protect its employees, then the FOP expects them to be held accountable. Just as I would expect any of my members to be held accountable if they completely neglected their duties, as the city apparently did,” Steel said.

Goodwolf said this data is available to anyone on the dark web who has the capacity, or even less, to download and open the files Rhysida posted.

Goodwolf said he believes trust in the city has “completely eroded” after this hack.