Columbus pledges $3 million more to fix data breach
COLUMBUS, Ohio (WCMH) -- The Columbus Department of Technology is asking city council for more money 81 days after the city first knew of the cyber attack on its systems.
On Monday, the city expanded the budget for the hack to $7 million; $3 million of that is new funding approved at council’s meeting Monday to cover costs through the rest of the year.
However, the overall cost is expected to be even higher. This expenditure covers investigating how the attack was able to happen, what was stolen, identity theft protection services, legal counsel to defend the city from a class action lawsuit and much more. It does not include long-term investments that the city said it will make.
"We are dedicated to addressing the damage caused by this attack, supporting our residents and building a more secure, resilient technology infrastructure for the future," Department of Technology Director Sam Orth said.
Watch: Columbus pledges $3 million more to fix data breach
Here is a breakdown of the budget from the city:
- Up to $2,401,052 for system forensics, systems remediation, data mining, data forensics and cyber threat monitoring. These services are helping to limit the extent of the cyberattack, understand what occurred and ascertain what information was posted to the dark web by Rhysida.
- Up to $1,644,348 for Experian identity theft protection services, including credit and dark web monitoring. This budget is an estimate based on industry-standard utilization rates for such services. The city’s final investment could fluctuate, based on actual enrollments.
- Up to $1,952,100 for legal counsel related to the incident response.
- Up to $1,000,000 for systems, endpoint and cyber threat monitoring for long-term use by the city.
- Up to $300,000 for legal counsel related to litigation.
- Up to $2,500 for expenses such as hard drives and tools.
"This is just the beginning, but I think that there's no price that we can put on the security of our data and our residents’ security as well," Columbus City Councilmember Nick Bankston said. "This is coming out of our special income tax set aside fund. So we set aside 25% of every dollar that we collect from income tax to pay for, in particular, our debt services. So that's how we pay for our bonds. But it's also additional money that we set aside for emergencies like this."
Orth said there is a large team sorting through what was accessed, stolen and leaked onto the dark web. The ransomware group claims to have 6.5 terabytes of city data.
"To put things into perspective, the city manages over 8.5 petabytes of data,” Orth said. “That's equivalent to 2.2 trillion sheets of paper; if stacked, that will reach approximately 139,000 miles high, or almost half the distance to the moon."
Orth said 22% of the accessed system still needs to be restored.
"While the investigation is ongoing, it is clear that this was a very sophisticated intrusion,” he said. “Experts are reviewing forensic artifacts to determine the techniques and the tools that the cybercriminals used.”
City officials said the goal is to have the breach report finished before a hearing council plans to hold.
"How are you educating yourself on cyber security in order to ask the important accountability questions during the public hearing?" NBC4 Investigates Isabel Cleary asked Bankston.
"Yeah, I think the biggest thing is making sure that we continue to have briefings and those updates that we get every single Monday, and also we are anticipating that final report that will come from our breach counsel and the cyber security experts that we're working with, that is really what I'm looking forward to so I can sink my teeth into that to be able to ask those more substantive questions," Bankston said.
As he has since the breach was first discovered, Orth declined a request for an interview following his presentation to council. NBC4 will continue asking for one.
The department's financial request to council can be read in full below.