There’s an update to a disturbing story that involved a Franklin County judge granting the City of Columbus a temporary restraining order against Connor Goodwolf. Goodwolf has been providing information to the media and the public about a ransomware attack on the city and was refuting the city’s claims about the impact of the attack by Rhysida. Now WKBN in Ohio reports:
A whistleblower who revealed the danger of a ransomware attack and subsequent data leak in Columbus, will now only be permitted to share his research on compromised sensitive information with city officials who are suing him.
City Attorney Zach Klein announced Wednesday evening that his office reached an agreement with Connor Goodwolf on a preliminary injunction. Before making the deal, the researcher proved the severity of information stolen by the Rhysida ransomware group from Columbus servers and alerted the public they were at risk.
“The city and our counsel met with (Goodwolf) several times over the past week,” Klein said. “While the content of these conversations is confidential, I can say that these discussions were positive and led to an agreement submitted to the court that prevents sensitive data from being disseminated, protects public safety and respects free speech.”
Read more on WKBN, keeping in mind that adding injury to its assault on the First Amendment, this agreement will stay in effect until the “final resolution” of the city’s lawsuit against the whistleblower:
The city has not dropped the case seeking at least $25,000 in damages from Goodwolf, and it doesn’t have a trial assignment scheduled until September 2025. But the city did extend Goodwolf’s time to file a response to the lawsuit until Oct. 30. He has yet to retain an attorney to defend him, according to Franklin County Common Pleas Court records.
DataBreaches finds this “deal” still totally unacceptable and believes the court and city have trampled Goodwolf’s First Amendment rights. The data have been leaked publicly and yet a court prohibits him from discussing it publicly with specifics? Suppose NBC or ABC or Fox News wants to show some of the leaked data in their reporting and to discuss it? Would the court issue an injunction against them? And if the court did, would it be overturned on appeal?
I hope that the ACLU or EFF or both would represent Goodwolf in this case pro bono. Media attention should be on the city’s cybersecurity before the cyberattack and its response to the incident — not on someone who tries to alert the public to their risk.
Note: On September 9, the city’s Technology Director Sam Orth made certain statements to the city council that were somewhat stunning. as NBC reported:
Orth told them that the city never received a ransom demand from Rhysida, the hacking group that tried to auction off an advertised 6.5 terabytes of stolen data from Columbus servers. He said his team tried to reach out to the hacking group before the data was released, but never got a response.
DataBreaches contacted Rhysida to ask about Orth’s assertions as it made no sense that Rhysida would not have contacted their victim at least a few times to try to negotiate payment. Rhysida’s response has been added as an update to an earlier post, but is repeated here:
In response to DataBreaches’ inquiry, Rhysida’s spokesperson states that yes, they had contacted the city, telling the city that they had 6 TB of data and providing a file list to show what they had acquired. The email also reportedly included a price quote. When asked if they could provide this site with a copy of the email, Rhysida’s spokesperson said that they couldn’t because the email account that had sent that email to the city had been deleted by now.
The spokesperson also said they never received any email from Columbus, telling DataBreaches:
they’re lying.
we sent them an e-mail (not one) but we haven’t gotten an answer.
Then they started making lying comments to the media.
No one has attempted to contact us since the auction was posted.
You realize we wanted to settle this peacefully.
And now these clowns are trying to justify themselves by blaming the person who made it public
DataBreaches can neither prove nor disprove either side’s claims, but in this case, the threat actors’ claims make more sense than the city’s.