The city of Columbus, Ohio, has initiated legal action against security researcher David Leroy Ross, also known as Connor Goodwolf, accusing him of unlawfully obtaining and distributing data leaked by the ransomware group Rhysida. Ross had originally sought to keep the leaked data confidential, but after the city rejected his request, he released some of the data to the media.

Columbus, the capital of Ohio with a population of 2.14 million, suffered a ransomware attack on July 18, 2024, which disrupted various services and made key IT systems like email and public institutions inaccessible. At the end of July, city officials stated that while no systems were encrypted, they were investigating whether confidential data had been stolen.

On the same day as the city’s announcement, Rhysida claimed responsibility for the attack, alleging they had stolen 6.5TB of data, including employee credentials, server data, city surveillance footage, and other sensitive information. After the city refused to meet their ransom demands, Rhysida retaliated by releasing 260,000 files, totaling 3.1TB. According to a later lawsuit filed by Columbus, the leaked files included data going back to 2015, containing significant information collected by local prosecutors and police, as well as personal details of undercover investigators. However, despite this, the mayor of Columbus downplayed the breach, asserting that the leaked information was neither valuable nor usable, and that the attack had been successfully repelled.

This response prompted skepticism from Ross, who obtained the leaked data from the dark web, analyzed it, and found that it did indeed contain sensitive information. He then shared these findings with the media, challenging the mayor’s assertion that no valuable data had been leaked.

In response, the mayor argued that the leaked data was unusable due to encryption or corruption and assured the public that there was no cause for concern. Ross, however, disputed this claim and provided samples of the unencrypted data to the media, which included personal information of Columbus residents. NBC4, which received the data from Ross, reported that it included the names of individuals involved in domestic violence cases, as well as social security numbers of police officers and crime victims, revealing sensitive information not just about city employees, but also residents and visitors from past years.

The city of Columbus subsequently filed a lawsuit against Ross, acknowledging that while he published the data on a restricted access platform and did not make it publicly available, his actions in distributing the stolen data were negligent and unlawful. The city is also concerned about Ross’s intention to create a website where citizens can check if their data was leaked, which they fear could interfere with police investigations.

Comments on the social networking site Hacker News reflected the uncertainty surrounding Ross’s actions, with some noting that the legality of his actions depends on whether he shared the data itself or merely disclosed its existence, and speculating that this lack of transparency might have led to the lawsuit.

The city of Columbus also sought a restraining order against Ross to prevent further distribution of the stolen data. A judge granted a temporary restraining order prohibiting Ross from accessing, downloading, or distributing the data. The mayor emphasized that this injunction does not suppress free speech, allowing Ross to continue discussing the case and explaining what data he possesses, but forbidding him from distributing it.

Columbus is seeking over $25,000 in damages from Ross. Meanwhile, the leaked data remains accessible on the dark web to those with the requisite knowledge.