There’s an update to an incident affecting the City of Columbus, Ohio. That’s the one where a judge prohibited David L. Ross from talking to the media about it after the city sought to silence him after he began publicly refuting the city’s false or inaccurate claims about the breach. The city subsequently settled its lawsuit against him but the settlement still partially muzzles him, which DataBreaches finds totally unacceptable. That someone is being muzzled and sued for accurately reporting on a breach that the victim entity has not accurately disclosed is…. disturbing, to say the least.
The city subsequently submitted a notification to the Maine Attorney General’s Office. It reports that a total of 500,000 people were affected. From their sample letter dated October 7:
What Happened? On July 18, 2024, the City discovered that it had experienced a cybersecurity incident in which a foreign cyber threat actor (the “TA”) attempted to disrupt the City’s IT infrastructure in a possible effort to deploy ransomware, and solicit a ransom payment from the City (the “Incident”). The City’s continuing investigation of the Incident determined that the TA gained unauthorized access to the City’s technology infrastructure, allowing the TA to access certain personal information. The Incident was discovered expeditiously, cyber security experts were retained, and security measures were implemented to contain the Incident. Despite these efforts, data purported to have been obtained from the City was posted on the dark web.
What Information Was Involved? The information involved in the Incident may have included your personal information, such as your first and last name, date of birth, address, bank account information, driver’s license(s), Social Security number, and other identifying information concerning you and/or your interactions with the City. To date, the City is unaware of any actual or attempted misuse of your personal information for identity theft or fraud as a result of this Incident.
Has the city ever formally retracted or corrected claims made by the city’s Technology Director Sam Orth that the city never received any ransom demand from Rhysida before the data was leaked and that the city had tried to reach Rhysida? Did it ever come out and forthrightly acknowledge that its early claims that the data would be “unusable” because they were supposedly “corrupted or encrypted” were flat-out inaccurate?
Those affected by a breach need accurate information so that they can assess their risk and determine what steps to take to protect themselves. When the accurate information appears to be coming more from the criminals and a third-party researcher and not the government/victim, it can make it harder for those affected to know what to believe and what to do. The city justified its application for an injunction by telling the court that it was concerned for the safety of police officers and others with sensitive information in the leak.
Getting an injunction against one researcher or any one site reporting on a data leak doesn’t do much to protect anyone except those who failed to adequately protect the security of data entrusted to them.
Some of those affected have already sued the city over the breach.