The following is a timeline released by Mayor Andrew J. Ginther Tuesday of a hacking attempt that brought down multiple city computer systems and resulted in compromised employee personal data that was attempted to be auctioned online, presumably by a foreign cybercrime organization.
7/18/2024 – Department of Technology analyst detected suspicious activity. Experts were engaged to analyze activity and identified threat actor involvement. Mayor Andrew J. Ginther was advised, and the decision was made to take city offline at 11:31 p.m. (The city doesn't say how many hours transpired before the decision was made to protect city systems by bringing them offline.)
7/19/2024 – The city notified FBI and Homeland Security.
7/20/2024 through 7/21/2024 – Ongoing forensic investigation continued. Decision was made to advise city leadership and then public that the incident was not CrowdStrike related.
7/22/2024 – City leadership was briefed. Employees were made aware. Press release was issued alerting public to the hack, and that forensic investigation would take time. (In the press release Ginther said that the city's 311 call center "remained operational," but it was only operational because calls were being recorded and handled on paper.)
7/29/2024 – Press release was issued saying the hack was an attempted ransomware attack that was thwarted, but some data was accessed and the investigation continues. (In that written statement, Ginther said the city had "Thwarted Ransomware Encryption," implying that the attack had been neutralized.)
7/30/2024 – Forensic investigation revealed the hacker had access to employee personal information. Experian was engaged for credit monitoring.
7/31/2024 – Dark web auction commenced on data stolen by the hacker. Rysida ransomware group took responsibility for the attack. This consisted of a claim of 6.5TB of data with associated “screen shots” of various city systems. No live data or sample data was posted.
8/1/2024 – Press release about employee credit monitoring was issued.
8/6/2024 – Letters to employees with credit monitoring information were sent.
8/7/2024 – Hacker made second attempt to auction stolen data on the dark web. The re-auction posted by the hacker on Aug. 7, 2024 suggests that no one purchased the city’s data, so a final attempt was made to sell by advertising a partial download, but the link was broken.
8/8/2024 – Hacker released city data. The city has now confirmed there was not 6.5 terabytes of data released by the threat actor. Rather, the amount was far smaller.
8/9/2024 – City confirms 1) data encrypted/corrupted and 2) hacker access to copied data eliminated. The data purported to be released was city backups which were determined to be corrupted or encrypted, along with miscellaneous other files that are currently undergoing continued data mining analysis.
wbush@gannett.com
@ReporerBush
This article originally appeared on The Columbus Dispatch: Ransomware explained: Columbus timeline says far less data stolen than hackers alleged
Most Popular
Comments / 0