216.696.8700

The Columbus City Hall Cyber Attack: Key Takeaways

January 10, 2025
NCAA

This past July, the City of Columbus, Ohio experienced a significant data breach. Hackers were able to breach Columbus’ network and gained access to private information of city employees and residents. Initially, the City stated that it had thwarted a ransomware attack. However, it was soon revealed that the problem was much worse than they had indicated. Several cyber security experts soon disclosed that a group called Rhysida, a foreign cybercriminal outfit, had in fact stolen data and was threatening to release it if Columbus did not pay a ransom. Columbus then said that any data stolen was likely unusable, but that was later contradicted by cybersecurity experts who were able to find the personal information on the dark web.

What is a Ransomware Attack?

According to the National Institute of Standards and Technology,

“ransomware is a type of malware that encrypts an organization’s data and demands payment as a condition of restoring access to that data. Ransomware can also be used to steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware attacks target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and attempt to restore operations themselves.”

What sets ransomware attacks apart from other cyber attacks is that the ransomware attackers want you to know what they have done and what information they have taken. In short, the ransomware attackers want to hold private information hostage in exchange for money. Other cybercriminals may not even want you to know your information has been compromised so that they can use your information without you knowing.

The Lawsuits

At least two class-action lawsuits have been filed against the City of Columbus, which have been consolidated into one case, related to the ransomware attack. The lawsuits claim that the data breach resulted from the City’s failure to safeguard highly sensitive information about employees and residents in its care. The consolidated lawsuit claims that the City “lost control over that data when cybercriminals infiltrated its insufficiently protected computer systems in a data breach”. The lawsuit goes on to claim that the City “had no effective means to prevent, detect, stop, or mitigate breaches of its systems—thereby allowing cybercriminals unrestricted access to the now-compromised” personal information.

As such, the lawsuit alleges,

“Cybercriminals were able to breach [the City’s] systems because [the City] failed to maintain reasonable security safeguards or protocols to protect the Class’s PII and failed to adequately train its employees on cybersecurity. In short, [the City’s] failures placed the Class’s PII in a vulnerable position—rendering them easy targets for cybercriminals.”

The cases were filed in August, even before the extent of the ransomware attack was known and had been consolidated into one case. The consolidated cases claim the plaintiffs have had their personal information compromised and that cyber criminals have already used that information for nefarious purposes like unauthorized consumer purchases. The lawsuit seeks damages for the City’s negligence, among other things, and does not specify a dollar amount at this early stage of the litigation.

For more information on this case, contact Cybersecurity and Data Breach attorney Michael Hoenig (MDH@kjk.com; 216.736.7247).