Where Columbus stands after data leak: what you should know

View a previous report on the search for “patient zero” in the video player above.

COLUMBUS, Ohio (WCMH) — After Columbus residents were hammered with the revelation they could be affected by discoveries on the dark web, thousands have taken the city up on an offer of protection.

Columbus Mayor Andrew Ginther’s office confirmed that as of Monday, 8,924 people had signed up for the free credit monitoring offered by the city. The sign-ups come after the Rhysida ransomware group leaked over three terabytes of stolen data from city servers onto the dark web, including files with personal information of employees and residents alike.

A spokeswoman did not specify if that number was just citizens, workers or a mixture of both. The city originally rolled out credit monitoring for just employees as a precaution, after Columbus police officers came forward with claims their bank accounts had been hacked. But once cybersecurity expert Connor Goodwolf provided NBC4 with a sample of leaked data from the dark web, it became clear the damage extended to residents as well. Columbus, in turn, extended their offer of credit monitoring to anyone affected.

The city and Experian — the credit bureau providing the monitoring — have both assured that taking up the offer doesn’t exclude anyone from taking legal action over the leak. Meanwhile, two class-action lawsuits have piled on the city over its handling of the ransomware attack, inviting anyone affected to join their cause.

Where did it start?

Through the course of the ransomware attack’s aftermath, NBC4 has asked the mayor’s office if investigators have found “ patient zero ,” or the originating device where hackers first gained entry. SecureCyber CEO Shawn Waldman called this a necessity in stopping hacks, because if the original hole isn’t plugged, the group could start the attack over again. Ginther and his team have given three answers to that question:

• On Aug. 13, Ginther said, “No, I think that all comes about throughout the investigation.”
• On Aug. 17, Ginther replied, “I don’t know if we have yet as part of the ongoing investigation and probably not know that for some time.”
• On Aug. 19, the mayor’s office said, “The patient zero question is still under investigation.”

When Ginther first shared that the city’s July 18 cybersecurity incident was a ransomware attack, he mentioned that the Rhysida ransomware group first gained access when someone downloaded a .zip file from a website. But the mayor has never named the person responsible, nor has he shared their title or department they were in, or what access they had.

Who is affected?

The full scope of the leaked data remains unknown, partially because of the sheer size of what was uploaded by Rhysida, as well as the fact that some of the data is encrypted. But Goodwolf has told NBC4 he is downloading more portions of the leak and that there are keys to unencrypt certain files in the dump as well.

From the data that Goodwolf has parsed so far, anyone’s information could potentially have been leaked if they meet one of the conditions below:

• Anyone who went within the past two decades to Columbus City Hall for something like a city council meeting. Some residents have found their data was leaked from visiting certain other city buildings as well.
• Anyone who may have been a victim or suspect in a case involving City Attorney Zach Klein, as his office’s database was found in the leak. This part of the breach contains records for at least 215,372 defendants’ cases.
• City employees and their emergency contacts who used the “Attendance Enterprise” employee portal from from 2004 to 2016, since its database was recovered as well.
• Anyone who was a victim — including if they died — of an arson fire, since records from 2014 to 2023 from the Columbus Division of Fire’s “Firehouse” database were found in the leak.
• Anyone who filed for a civil protection order in Columbus, since information on 5,700 protective orders was included in the leak.
• Anyone who was a witness or suspect in a case involving juveniles, since unsealed records from those incidents contained 12,000 to 13,000 names.

What actions can be taken?

Ginther has shared a deadline of Nov. 29 to sign up for the free credit monitoring offered by the city. Since the leak has also been confirmed to affect minors, a link for them has also been added to the city’s webpage for getting the deal from Experian.

Waldman has said one of the worst outcomes of a data breach can include when a bad actor takes a line of credit out in a victim’s name. He stressed the importance of taking an immediate precaution to help prevent that from happening.

“I would contact all three credit bureaus and do what’s called freezing your credit,” Waldman said. “Now, that should be done regardless. Even if you’re not part of an incident, everyone should have their credit frozen. … If you go to like, buy a new car or buy a house or something, it really just takes minutes to thaw your credit.”

Contact each of the three major credit reporting agencies at the following links:

• Equifax
• Experian
• TransUnion

Waldman added that watching bank account activity is another helpful step.

“If you’ve got notifications that you can turn on, like your credit cards and your bank accounts, have them start notifying you about every transaction,” Waldman said. “That way you get a heads-up.”

For the latest news, weather, sports, and streaming video, head to NBC4 WCMH-TV.