City of Columbus Drops Case on Cyberattack Whistleblower

The city of Columbus, Ohio, has come to a settlement with whistleblower David Leroy Ross, also known as Connor Goodwolf, after he alerted the local media of compromised personal information of the city's residents in a cyberattack.

The breach was discovered on July 18, when the city found that a foreign cyber-threat actor attempted to disrupt its IT infrastructure in a potential effort to install ransomware and demand a payment from the city.

The threat actors in question belonged to Rhysida ransomware gang, the information they managed to glean involving names, dates of birth, addresses, bank account information, driver's licenses, Social Security numbers, and other identifying information. This information was posted on the Dark Web, according to the notice of data breach letter that the city sent out to 500,000 victims whose information was compromised in the breach.

After learning of the disruption, Columbus' Department of Technology identified the threat and blocked unauthorized users from accessing its systems, launching an investigation into the matter. It also took the usual steps of engaging third-party cybersecurity experts to resolve the issue, as well as notifying law enforcement.

In August, the city sued independent security researcher David Ross, seeking damages greater than $25,000, as well as slamming him with an order to stop discussing the data leak. Now, nearly two months later, both sides have come to an agreement and the case will soon be dropped.

Goodwolf wanted a dismissal with prejudice, which means the city of Columbus cannot try him again for the same reason, and will have his wish be granted but with a catch: He had to agree to a permanent injunction in which he will only be allowed to publicly share data considered public record, and only with written approval from the city.

"It's good to see the city of Columbus dropping the case, partly in response to outcry from the security community back in July," Casey Ellis, founder and adviser at Bugcrowd, wrote in an emailed statement to Dark Reading. "This is another example of shooting the messenger, and the potential for this suit to have a chilling effect on others who'd do likewise in the interest of the public is something governments, agencies, and companies should be working hard to avoid."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!