Researcher Sued for Disclosing Ransomware-Compromised Data to Media

The City of Columbus, Ohio, has initiated legal action against security researcher David Leroy Ross, also known by his alias Connor Goodwolf, following allegations that he illegally accessed, downloaded, and disseminated sensitive data stolen from the city’s IT network. This data was originally compromised and leaked by the Rhysida ransomware gang after a significant cyberattack on July 18, 2024, which disrupted numerous city services, including email and IT connectivity between public agencies.

Columbus, Ohio’s largest city and capital, home to over 2.1 million residents, was the target of this ransomware attack, which Rhysida later claimed responsibility for. The group alleged that it had stolen 6.5 terabytes of data, including highly sensitive information such as employee credentials, server dumps, and city surveillance footage. Despite these claims, city officials initially downplayed the severity of the breach, stating that no systems had been encrypted and that the potential theft of sensitive data was under investigation.

However, as tensions escalated, Rhysida published 45% of the stolen data, amounting to 3.1 terabytes and comprising 260,000 files. This dataset reportedly included two significant backup databases containing extensive data from local prosecutors and the police force, with records dating back to 2015. Among the exposed information was the personal data of undercover officers, which raised alarms about the potential risks to law enforcement and public safety.

In the wake of this data leak, Mayor Andrew Ginther attempted to reassure the public by claiming that the leaked information was neither valuable nor usable. He stated that the attack had been effectively neutralized. However, Goodwolf challenged these assertions, providing evidence to the media that the leaked dataset contained unencrypted and highly sensitive personal information. This included names associated with domestic violence cases, Social Security numbers of police officers, and data on crime victims, which had been made publicly accessible.

Goodwolf’s revelations contradicted the city’s narrative and drew significant attention to the severity of the breach. Despite Mayor Ginther’s subsequent claim that the leaked data was “encrypted or corrupted” and therefore of no concern, Goodwolf continued to dispute this, sharing further samples with the media to demonstrate the extent of the data exposure.

The City of Columbus responded by filing a lawsuit against Goodwolf, accusing him of exacerbating the situation by illegally disseminating the stolen data, which they argue was not readily accessible to the general public due to its location on the dark web. The complaint alleges that Goodwolf’s actions have caused widespread concern throughout Central Ohio and have interfered with ongoing police investigations. The city is seeking a temporary restraining order, a preliminary injunction, and a permanent injunction to prevent Goodwolf from further disseminating the stolen information, along with damages exceeding $25,000.

A Franklin County judge has already issued a temporary restraining order against Goodwolf, barring him from accessing, downloading, or disseminating any more of the city’s stolen data. The order also requires him to preserve all data he has downloaded so far.

In a press conference, City Attorney Zach Klein emphasized that the lawsuit is not an attempt to suppress free speech. He clarified that while Goodwolf is still free to discuss the data breach publicly, the legal action is focused on preventing the further spread of the compromised information, which could have severe implications for both city employees and residents.

This case highlights the complex intersection between cybersecurity, public safety, and the ethical responsibilities of those who handle sensitive data. The outcome of this lawsuit could set important legal precedents regarding the limits of security research and the responsibilities of individuals who come into possession of stolen data, especially in cases involving public entities and sensitive personal information.