‘Gut-wrenching:’ More victims found in Columbus data leak

COLUMBUS, Ohio (WCMH) — New databases found in the dark web leak from the City of Columbus confirm the exposure affects even more workers and citizens over a span of years.

NBC4 has been working with cybersecurity expert Connor Goodwolf as he combs through around 3.1 terabytes of data released by the Rhysida ransomware group . On Monday, he shared what he found in another batch of downloads, including multiple sensitive records snagged by hackers before the city’s IT staff cut off its systems from the internet. Already confirmed was that the breach extends beyond city employees and also affects the public.

One of those databases, called “Attendance Enterprise,” tracked paid time, vacation and badge numbers for 2,837 city workers. Goodwolf showed the records also contained employees’ Social Security numbers, as well as the names, addresses and phone numbers for emergency contacts. This is yet another set of data that’s exploitable, according to Goodwolf.

“There are scams out there where someone may call emergency contacts and claim that they’re a person, that they’re in jail, they need money,” Goodwolf said. “So this sort of information could be used for illicit purposes.”

Among the newly discovered compromised group was City Council President Shannon Hardin. Other affected workers had titles such as deputy director and plant operator, and “Attendance Enterprise” had records for Columbus employees ranging from 2004 to 2016.

Goodwolf also found a database called “Firehouse,” which contained Social Security numbers for citizens involved in Columbus Division of Fire investigations. It also held sensitive details in notes from hazmat and arson investigations, as well as victims’ names, addresses and vehicle identification numbers. The records stretched from 2014 to 2023, and included deceased victims.

Goodwolf called this portion of the leak “gut-wrenching.”

“People are having the worst days of their lives and they expect their information to be held secure and safe,” Goodwolf said. “A lot of these cases are gruesome. I imagine some of these files will end up on the dark web with regards to the incident reports where someone was injured or died and potentially even harassed.”

The cybersecurity expert said as he has been uncovering new databases with compromised information, he has been notifying the groups affected by each subsequent portion of the leak.

“I’m still digging through the data, so there could be more and I’ll come forward if anything else comes out,” Goodwolf said.

The city extended its offer of free credit monitoring to go beyond employees after discovering residents were also affected. Columbus Mayor Andrew Ginther spoke on the latest developments from Rhysida’s leak in a Saturday news conference. Previously calling the dump “encrypted or corrupted,” he acknowledged the growing scope of its known impact while speaking with reporters.

“Let me once again express my anger, my frustration that our city and our residents have been attacked by cyber criminals,” Ginther said. “My job is to acknowledge when that information was inaccurate. It was the best information we had at the time. Clearly, we discovered that that was inaccurate information and I have to accept responsibility for that.”

The city’s Department of Technology first discovered Rhysida had accessed city servers on July 18. Ginther said staff were able to stop the hackers from encrypting systems and locking employees out, but admitted they were able to access private information. Rhysida claimed responsibility for the attack at the end of the month, and launched auctions asking for 30 bitcoin for the city’s data. After failing to attract bids , the group dumped the data publicly on the dark web.

For the latest news, weather, sports, and streaming video, head to NBC4 WCMH-TV.