Police officers suing Columbus for keeping them 'in the dark' over ransomware attack
View a previous report on the Rhysida ransomware attack in the video player above.
COLUMBUS, Ohio (WCMH) -- The City of Columbus is now facing a class-action lawsuit Friday over its handling of the Rhysida ransomware attack.
Prepared by the law firm Cooper Elliott, it invites every employee with the city, as well as the Franklin County Municipal Court judges and clerk's offices, to participate. But at the forefront are two Columbus police officers only referred to as "John Does #1 and #2."
In his most recent comments about the ransomware attack, Mayor Andrew Ginther challenged the danger of the stolen data. He said the fact no buyers have surfaced for it shows it "lacks value to those who would seek to do harm or profit from it." But attorneys for the two officers wrote that the former has already suffered damage, while the latter -- an undercover cop -- now risks having his cover blown.
"Plaintiff John Doe #1 has received two notifications, one from his bank and one from his credit card provider, that his social security number has been compromised and was found on the dark web," Cooper Elliott's attorneys wrote in a complaint. "(John Doe #2) has a well-founded fear that, should his identity as a police officer come to light, not only will ongoing criminal investigations be jeopardized, but his life is in clear and present danger."
The lawsuit also criticizes the city's handling of the ransomware attack, and accused it of keeping employees "in the dark" since it was first detected on July 18. Ginther has said that his IT staff pointed to a downloaded .zip file as the source. While he said they were able to stop hackers from encrypting the city's systems and locking employees out, he admitted attackers may have taken personal data.
At the end of July, Rhysida claimed responsibility for the attack and advertised 6.5 terabytes of the city's data on an onion site. After two auctions asking for 30 bitcoin -- or just under $2 million -- failed to secure a bidder, they dumped more than three terabytes of city data on the dark web.
"In its (ultimately premature) press release congratulating itself on 'thwarting' the
cyberattack, defendant represented that it 'has been engaged in a methodical process to ensure that its technology systems are hardened against further breach before bringing them back online.' But this is too little too late," Cooper Elliott's attorneys wrote. "Simply put, these measures—which defendant now recognizes as necessary—should have been implemented before the data breach."
A spokesperson for the mayor's office told NBC4 the city is unable to comment on pending litigation.
The lawsuit does not name Rhysida as being behind the ransomware attack, nor has Ginther besides acknowledging a "threat actor" claimed to have leaked data online. However, the lawsuit complaint includes a screenshot taken directly from the group's onion site.
View the full lawsuit complaint document below:
Another cyberattack: Breach knocks Ohio School Boards Association offline
A class-action brewing against Columbus comes the same day the Ohio School Boards Association became the latest victim of a cyberattack.
OSBA CEO Kathy McFarland confirmed the organization cut off its internet access due to a Thursday data breach. In a statement to the association's members, she explained her team immediately made a decision that knocked the OSBA website and email system offline.
"Yesterday, the OSBA computer network was attacked. This network breach quickly affected our normal operations," McFarland wrote. "As soon as we became aware of the incident, we immediately severed our network’s connection to the internet to limit further damage. At the same time, we retained outside cyber counsel and forensic IT specialists to investigate the scope and cause of the incident and assist with our remedial efforts."
McFarland said the association does not regularly store any sensitive data, like Social Security numbers or financial information. With membership including 700 school boards and 3,500 elected and appointed officials in Ohio, she does not believe any of their important data was compromised as of Friday.
The CEO told NBC4 that because OSBA is in the early stages of its investigation, it does not know if a hacking group like Rhysida was behind the attack.