‘Devastating:’ Stolen Columbus data leaked by ransomware group after auction gets no bids

COLUMBUS, Ohio (WCMH) — Over three terabytes of stolen data, including Columbus employees’ personal files, were dumped on the dark web Thursday morning, after two auctions by the hackers that attacked the city failed to attract bids.

The Rhysida ransomware group began leaking the data after an extended auction ended at 5:35 a.m., according to Ohio State assistant professor Carter Yagemann, CMIT Solutions’ Daniel Maldet and other cybersecurity experts who have watched the group’s onion site on the dark web. While the full 6.5 terabytes that the hackers claimed to have has yet to be uploaded, the portion that has made it online includes files from dozens of city employees’ computers, as well as SQL backup files for entire databases.

The massive size of the 258,270 files released means it’s not readily apparent what they contain. But NBC4 reviewed a list of employees’ names found within the data, confirming Rhysida’s leak not only included current workers, but also at least one contractor and one former staff member who left in 2021.

Unsolved Ohio: Columbus father missing for five years

Maldet told NBC4 that it’s possible the other portion of data that wasn’t uploaded did find a buyer, but there is no way to verify that. Still, cybersecurity expert Shawn Waldman provided context on the gravity of the situation.

“This is really devastating because it appears that some of the personally identifiable information is already out and available,” Waldman said. “Combine that with the fact that the City of Columbus has just now started rolling out credit monitoring, that may mean that the credit monitoring process may be completely ineffective due to the information being leaked before it became effective.”

Rhysida wanted 30 bitcoin — or around $1.7 million — as the starting bid for the auction. The hackers previously advertised they stole employees’ internal logins and passwords, Social Security numbers, and access to city video cameras as well. They had previously started to leak the data Wednesday morning after the original auction ended, but never made a working link available and instead reopened bidding. Maldet shared insight with NBC4 on why Rhysida may have changed course.

“Even though it didn’t sell up until this point, we don’t know what kind of offers it may have gotten,” Maldet said. “So, I’m guessing that they do have some valuable data there and they feel that it’s worth selling versus releasing.”

Cocktail club with $1,800 membership opens second central Ohio location

NBC4 reached out to multiple city officials who each pointed back to Columbus Mayor Andrew Ginther’s office. He avoided naming Rhysida but acknowledged the public leak in a Thursday afternoon statement, challenging the danger of what was released.

“While a foreign cyber threat actor claims to have released city data, it has not been validated that the data is usable or valuable,” Ginther wrote. “The fact that the threat actor’s attempted data auction failed is a strong indication that the data lacks value to those who would seek to do harm or profit from it.”

The city has repeatedly told NBC4 it is limited on what it can share, citing an active investigation involving the FBI and the U.S. Department of Homeland Security. The mayor previously told NBC4 that the city’s IT staff first detected the cyberattack on July 18, pointing to a .zip file downloaded from a website as the source. While they were able to stop Rhysida from encrypting the city’s systems and locking employees out, he admitted data may have been taken.

“For non-IT people, folks at home, the best way to describe this would be robbers were in our house,” Ginther said. “They tried to lock us out from our own house, but we stopped them. They took some valuables, data, and we’re in the process of determining the extent, and their value, data, before we notify their owners.”

Family indicted in overdose that killed 13-year-old Columbus boy

Waldman said that the leak after a restarted auction was an apparent sign that “negotiations either are not going well, or there are no negotiations.”

“I would honestly expect to see the rest of the data leaked in the near future,” Waldman said. “If the city doesn’t continue some type of negotiation or communication with a threat actor, I think you’ll see the entire data set made available.”

Copyright 2024 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

For the latest news, weather, sports, and streaming video, head to NBC4 WCMH-TV.