The City of Columbus, Ohio, has notified 500,000 individuals that a ransomware attack in July 2024 stole their personal information. In incident caused he city to take systems offline to contain the attack, impacting a range of services. The city has since confirmed that allegedly stolen data has been placed on the dark web. This follows the city’s attempt to sue researcher David Leroy Ross, also known as Connor Goodwolf, for informing local media of the theft of residents’ personal data. Both sides have now reached an agreement to drop the case.
Security leaders weigh in
Casey Ellis, Founder and Advisor at Bugcrowd:
It’s good to see the City of Columbus dropping the case, partly in response to outcry from the security community back in July. This is another example of shooting the messenger, and the potential for this suit to have a chilling effect on others who'd do likewise in the interest of the public is something governments, agencies, and companies should be working hard to avoid.
Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens:
Unless organizations have complete confidence in their digital assets, have tight control of configurations, changes and interconnected and interdependent digital systems, they must urgently invest in cyber defense using microsegmentation that can help enterprises deny lateral movement to cyber attackers, ensuring the best possible defense against ransomware. Such investments can help organizations avoid these situations when they are forced to face public scrutiny due to immature legal actions.
Stephen Kowski, Field CTO SlashNext Email Security+:
The city’s lawsuit wasn’t primarily about denying the breach, but rather about preventing premature disclosure of sensitive details while investigations were ongoing. Based on public statements, the researcher had expressed clear intentions to share additional information that could have exposed the personal details of individuals more transparently and easily, including details of minors, before subsequent investigations and protection measures could be completed, especially regarding the assertions the researcher was making legitimately.
The situation highlights the delicate balance between transparency and responsible disclosure — while immediate acknowledgment of breaches is crucial, organizations also have an obligation to protect sensitive data, especially concerning minors, during active investigations. The injunction served its intended purpose by allowing for a complete investigation without risking additional exposure of sensitive information.
The key takeaway isn’t simply about “coming clean“ but about managing incident response in a way that protects all stakeholders. Modern security solutions can help organizations quickly validate and contain breaches while maintaining control over sensitive data disclosure, enabling them to be transparent about incidents without compromising ongoing investigations or exposing vulnerable individuals to additional risk.
John Bambenek, President at Bambenek Consulting:
You would think political officials would know the old saying “It’s not the crime; it’s the cover up.” People are numb to the news of breaches and all of us have at least a dozen letters offering free credit monitoring. Frankly, the city engaged in next-gen stupidity to get back to where they should have been this summer.