Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Courts

City of Columbus Sues Man After He Discloses Severity of Ransomware Attack (arstechnica.com) 37

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: A judge in Ohio has issued a temporary restraining order against a security researcher who presented evidence that a recent ransomware attack on the city of Columbus scooped up reams of sensitive personal information, contradicting claims made by city officials. The order, issued by a judge in Ohio's Franklin County, came after the city of Columbus fell victim to a ransomware attack on July 18 that siphoned 6.5 terabytes of the city's data. A ransomware group known as Rhysida took credit for the attack and offered to auction off the data with a starting bid of about $1.7 million in bitcoin. On August 8, after the auction failed to find a bidder, Rhysida released what it said was about 45 percent of the stolen data on the group's dark web site, which is accessible to anyone with a TOR browser.

Columbus Mayor Andrew Ginther said on August 13 that a "breakthrough" in the city's forensic investigation of the breach found that the sensitive files Rhysida obtained were either encrypted or corrupted, making them "unusable" to the thieves. Ginther went on to say the data's lack of integrity was likely the reason the ransomware group had been unable to auction off the data. Shortly after Ginther made his remarks, security researcher David Leroy Ross contacted local news outlets and presented evidence that showed the data Rhysida published was fully intact and contained highly sensitive information regarding city employees and residents. Ross, who uses the alias Connor Goodwolf, presented screenshots and other data that showed the files Rhysida had posted included names from domestic violence cases and Social Security numbers for police officers and crime victims. Some of the data spanned years.

On Thursday, the city of Columbus sued Ross (PDF) for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him "interacting" with them and required special expertise and tools. The suit went on to challenge Ross alerting reporters to the information, which ii claimed would not be easily obtained by others. "Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so," city attorneys wrote. "The dark web-posted data is not readily available for public consumption. Defendant is making it so." The same day, a Franklin County judge granted the city's motion for a temporary restraining order (PDF) against Ross. It bars the researcher "from accessing, and/or downloading, and/or disseminating" any city files that were posted to the dark web. The motion was made and granted "ex parte," meaning in secret before Ross was informed of it or had an opportunity to present his case.

This discussion has been archived. No new comments can be posted.

City of Columbus Sues Man After He Discloses Severity of Ransomware Attack

Comments Filter:
  • SLAPP (Score:5, Insightful)

    by Local ID10T ( 790134 ) <ID10T.L.USER@gmail.com> on Friday August 30, 2024 @05:43PM (#64749910) Homepage

    Strategic Lawsuit Against Public Participation

    • Could argue whistleblower protection in that disclosing that the breach was worse then they played it off as.
    • Re:SLAPP (Score:5, Interesting)

      by Brymouse ( 563050 ) on Friday August 30, 2024 @06:44PM (#64750020)

      Yes, but as someone currently being sued in an over 200 page SLAPP suit [w9cr.net], you still have to defend it. I'm about 65k into this and 2+ years of time has elapsed. I've recently become aware of the same suit being filed by the same Plaintiff in another state now, but I've not been served in this new, parallel, litigation.

      The system assumes the Plaintiff's complaint is truthful and it is the responsibility of the defendant to prove otherwise. A defendant must pay for and retain expert witnesses to refute each claim. As an example:

      The website of Defendant actively solicits persons visiting the site to make payments by cryptocurrency, stating, “I support strong crypto. My gpg key is below, please use it.”

      Reading this makes my head hurt, but if it gets to court, I'll need to hire an expert witness (likely 10-20k USD) to refute that. This is just one of the many idiotic claims made in such a SLAPP suit.

      Most people do not have the financial resources necessary to defend such a case. Also if you get it dismissed on jurisdictional or anything before a full trial (summary judgement), you generally are unable to recover attorney's fees.

      This entire action is from a small business owner selling products in the radio enthusiast community who went off over some facebook meme. Basic research found out he was a convicted felon and had made up multiple lies on his public resume. He's suing over publishing his records from PACER [uscourts.gov].

      I wish this researcher the best of luck.

      • Re:SLAPP (Score:5, Interesting)

        by Rhys ( 96510 ) on Friday August 30, 2024 @06:50PM (#64750030)

        Krebs will pick it up and probably the EFF will step in. Possibly also the ACLU. The Streisand effect is going to be in full force and IT at the city is going to get screwed, but we can at least hope it also ends the political careers of those idiots.

        • Sadly today's EFF is not the EFF of 20 years ago. There's enough of these cases now that outside of somewhere like slashdot they don't make the news or if they do, get remembered, let alone bring any help to the affected party.
      • Re:SLAPP (Score:5, Informative)

        by Local ID10T ( 790134 ) <ID10T.L.USER@gmail.com> on Friday August 30, 2024 @06:57PM (#64750058) Homepage

        Many states have Anti-SLAPP legislation on the books, whereby a suit can be dismissed with prejudice with the filing of a (relatively) simple pre-trial motion by defendants.

        Ohio is not one of them. They did have bills before their house and senate this summer to implement such... but not yet. They do have a law on the books that allows defendants to recoup costs if they successfully defend against a SLAPP.

        It sucks that you are not in a jurisdiction with strong Anti-SLAPP laws. Good luck to you.

      • by bobby ( 109046 )

        IANAL, but my brother is. I agree that there's a kind of general assumption that plaintiffs are truthful. Who would ever file a false lawsuit based on a lie? (that was sarcasm for those who don't grasp sarcasm). That would be fraudulent, perjurous, and frivolous, right? And maybe more? Hopefully you'll have a strong counter case and will file a case against plaintiff.

        Someone sued me a couple of years ago. Total fraud / perjury. Of course I won. I thought the system would automatically go after the plaintiff

      • Interesting. I clicked through and read your story a bit. My first impression is this:

        You publicly whistleblew on someone in an enthusiast community? Oh god. Buddy, I'm so sorry, you are gonna be dealing with forever. Enthusiast communities attract lots of people who pursue a hobby, borderline-fixated, and are burning time which they literally have nothing else to do with. And you outed one of them for being a past criminal? That guy now has nothing to do with his time, and you just blocked him from do
      • Where are my "Damn, that is interesting" mod points?
  • ...not being burned at the stake?

    Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web,

    ie, every scum-sucking crim out there...

    What universe do these chucklefarks live in? Oh, wait. Nevermind....

    • by sjames ( 1099 )

      They sound like the sort of people who call IT every morning to remind them how to turn the lights on in their office. Does that switch thuingy go up or down, so many confusing choices!

    • by vbdasc ( 146051 ) on Saturday August 31, 2024 @03:15AM (#64750610)

      Your quote is BS. Visiting the dark web requires only moderate computing skills, and the needed tools are free, open source, easy to use and easily obtainable. Proximity to pedophiles, scammers, terrorists and other criminal scum can be unsettling, but personally I feel the same when visiting Microsoft, Facebook and other websites. The light web is just as infested with criminals and assholes as the dark web.

      • I call the "light web" the "deep web" because they do exist but typically deep within social networks. IE: You need to add 5000 friends to find them and consistently be adding friends, or accepting invites. At this point the algorithms do the rest of the work and recommend to you their profiles. I don't entirely know *how* it works, it just does. At least in the gay community. I posted a meme about drugs and instantly had a bunch of offended dope heads commenting on my post. No clue who these people are. So
  • by pr0t0 ( 216378 ) on Friday August 30, 2024 @06:34PM (#64750004)

    Ginther already claimed the data was encrypted or corrupted. If that's true, how can he claim Goodwolf is showing the data to people?

    Oh wait a minute. Was Ginther lying about the data? If so, then it wasn't Goodwolf who made the data public, it was the city.

    Ginther probably wanted to keep this quiet, but that doesn't make any sense either because the city is suing the security researcher. Now it's known in every security circle and tech web site on the planet.

    • by evanh ( 627108 )

      It's the oldest and most used form of cancelling in the book. Look what we can do if you embarrass us.

      And also the most hypocritical. But then that's one of the points I guess. We are hypocrites and we don't care because we don't need to follow the rules ourselves.

    • This is WHY we don't let the CITIZINRY inta thuh WORKINS of GUBMINT. YO-UH sense and REASIN are poison to the BUSINESS of the PEOPLE. Naw sit down, son and I'll get ya straight on this. AWTHORITEE FIGYERS are not to be questioned or otherwise EXPOSED in an UNCOUTH mannah. We want to work within the system, bringin' all ya issues to me first, son. I'll see to them gettin the CORRECT treatment. You GOAN worry that little propeller hat right off y'all's head. Naw runalong.
  • "Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to" identify criminals, identify threats and uphold laws. That sounds a lot like what city council agents are doing.

    And bringing council's lies to light isn't remotely a crime. Covering up their mendacity is the real threat to public order.
    • What is it about coming to trial with clean hands? Clearly the councils statement was misleading in the extreme, or a lie at worst. Get a copy of what the consultants claimed. Most expert reports come with a big disclaimer. Clearly the council is up for some creditwatch reporting, because you me and the consumer are lucky to see a buck or two for any gross privacy breach. I think the security consult may be able to get things reversed - because there was no additional damage - it did exist, and early hone
  • by Khyber ( 864651 ) <techkitsune@gmail.com> on Friday August 30, 2024 @07:40PM (#64750128) Homepage Journal

    Not a fan of this specific furry, but I'll give credit where credit is due.

    And the State trying to shut hom up is only going to result in bad things for them. Furries will unite hard over common causes. Witness what was done after Dragoneer's recent death - almost 1/4 million dollars total raised, from under 4,000 people. [gofundme.com]

    Word will get out and furries will fund this one's defense, and counter-suit.

    Also, furries run the internet. Ohio just picked the wrong group to piss off, when it comes to matters of IT.

  • above board (Score:3, Interesting)

    by guygo ( 894298 ) on Friday August 30, 2024 @07:48PM (#64750148)

    'The motion was made and granted "ex parte," meaning in secret before Ross was informed of it or had an opportunity to present his case.'
    Well that certainly sounds kosher and above board. Amerikan, even.
    Good old "Guilty until proven Innocent". It saves So much time, huh?

  • by yog ( 19073 ) * on Friday August 30, 2024 @08:12PM (#64750198) Homepage Journal
    It seems to me the city of Columbus should hire this fellow, not sue him. If what he's saying is true, he has more competence than the city's I.T. department.
    • If what he's saying is true, he has more competence than the city's I.T. department.

      As someone who does programming for clients ... there is nothing worse than a client with their own in-house IT department.

      (Unless they restrict themselves to merely updating Windows and getting people's mice to work and such.)

    • Have you seen what government pays? If they get the best it's because they were down on their luck and couldn't get a better paying job because they had a bad credit score or unexplained gaps in their employment. (I'm just claiming NDAs next time someone asks, fuck this not lying to people shit, there's no reward for honesty.)

  • Now, if it were me, I would find and anonymously release evidence that this judge is not fit to be a judge, along with further evidence that Ginther is full of shit from non dark web sources.

  • by Anonymous Coward

    ...per normal IT community standards - or did he just go directly to the press?

  • What the CITY should get sued for "damages for criminal acts, invasion of privacy, negligence, and civil conversion"
  • The coverup will be worse than the event. Stoopid city pols
  • ...here whose data was likely exposed. There are a lot of unhappy folks in Columbus and the lawsuits are starting. Mayor Ginther and City Prosecutor Zach Kline have totally botched the response.

    Columbus Dispatch: [dispatch.com]One month into a ransomware attack against Columbus that the city has now acknowledged may have compromised the personal information of close to half a million private citizens and thousands more city employees, the public still knows precious little about what happened.

    Prosecutor's database exposed [dispatch.com]Mayor Andrew Ginther confirmed on Saturday that information in the city prosecutor's database was exposed during the July cybersecurity data breach.

    Private citizen lawsuit. [dispatch.com]"(The breach) affects a huge amount of people," said Meador. "Anyone who scanned their ID to get into city hall, crime victims, so the sky is the limit."

    Employee lawsuit [dispatch.com]A group of anonymous Columbus police officers and one firefighter have filed the second lawsuit against the city claiming their personal information was stolen and some suffered financial losses from bank accounts and credit cards hacked after the city was the victim of a ransomware attack.

    Unfortunately, Ginther was recently re-elected Mayor. We did try and oust him over his proclivity for giving away tax abatements [usatoday.com] that have cost the city school system millions in lost revenue, but we lost by a 2:1 margin.

If you didn't have to work so hard, you'd have more time to be depressed.

Working...