Having completely shit the bed in its handling of a recent ransomware act, the city of Columbus, Ohio has decided the person who must be silenced — and, hopefully punished — should be the person who informed city workers and residents their PII was available on the dark web.
The messenger hasn’t been shot quite yet, but it’s almost an inevitability at this point, as Bill Bush reports for the Columbus Dispatch.
A Franklin County judge on Thursday granted the city of Columbus a temporary restraining order against a cybersecurity expert who has been telling the media about the public impact of the ransomware attack on city government.
Franklin County Common Pleas Judge Andria C. Noble approved the temporary restraining order, which bars cybersecurity expert David L. Ross Jr., who goes by “Connor Goodwolf,” “from accessing, and/or downloading, and/or disseminating” any of the files stolen from the city that were posted to the dark web.
This order makes no sense. If Ross/Goodwolf has access to these files, plenty of other people do as well. No, this is an attempt to silence someone who has repeatedly embarrassed the city by exposing its unwillingness to fully inform the multiple victims of this ransomware attack and release of the ransomed data.
And there’s a lot at stake. Not only was drivers license and social security information about citizens and city employees released, but the ransomed data also included personal info about domestic violence victims and (allegedly) undercover police officers.
Goodwolf’s exposure of the extent of the breach has already resulted in two lawsuits against the city for failing to protect this information. City Attorney Zach Klein was more than happy to express his agreement with this clearly unconstitutional injunction since it gives him something else to talk about rather than the city’s botched attempt to downplay the severity of the incident.
In a series of disclosures, Ross has shown [Mayor Andrew] Ginther’s statements to be incorrect about the extent of damage done after Rhysida, a foreign cybercrime organization, hacked the city’s server farm and demanded a $1.7 million or 30 bitcoins to keep the information off the dark web. The hack was discovered in July by the city, which refused to pay the ransom.
Ross’ investigation has provided many more details about the risks to city employees and the general public — and has proven more accurate — than what the city has divulged, even prompting Ginther to correct himself about the extent of the damage.
The city has decided the person informing the public about the ransomware attack is the real villain here, rather than city officials who tried and failed to keep this under wraps. This was the warning shot. There’s possibly more to come — something hinted at by the language used in the court order.
The order is in effect for 14 days, and also orders Ross not to destroy or alter any information he has downloading, suggesting the city may try to indict him.
There’s the true extent of the city’s pettiness. It wants revenge for being exposed as reckless caretakers of persona info, as well as misleading the public about the extent of the data exposure. Even with all of this going on, city representatives continue to dodge direct questions about the attack — such as when it was actually first discovered. They won’t have this luxury for much longer, not when it’s the subject of at least two potential class-action lawsuits.
For the time being, the city seems satisfied with trying to silence the security researcher who was far more informative about the extent of the breach and far more responsible in terms of answering questions raised by city employees and residents.
In the end, all the city really has accomplished is the generation of more negative press and securing a truly absurd court order — one that the person requesting it (city attorney Zack Klein) won’t even attempt to explain.
Asked if Ross would potentially become the only person in the world prohibited from downloading the stolen city files for purposes of forensics, Klein said he didn’t want to discuss potential litigation and the ongoing criminal investigation.
Hopefully, Ross/”Goodwolf” will get this order rescinded in the near future. Once that happens, the city is going to have to actually deal honestly with the repercussions of this attack. Trying to scapegoat the person who speaks up about incidents like these is, unfortunately, the expected response when there’s an imbalance in power. But it rarely works out as well as those with power believe it will.
