Imagine an everyday ransomware attack on a U.S. city that results in sensitive data being leaked weeks later when the large ransom demanded is not paid.
Now imagine that the mayor of that city denies that the leaked data was as bad as it appeared, asserting in a press conference that the stolen data was mostly corrupted and unusable.
But wait. A security researcher who has studied some of the data disagrees and thinks the data is in fact potentially highly sensitive, and includes social security numbers of police and criminals as well as the names of people involved in domestic violence cases.
The researcher provides local media with evidence to back up the claim. Now the mayor’s office is upset. So upset, in fact, that it files a lawsuit against the researcher. A court grants the city a temporary restraining order.
The city in question was Columbus Ohio, which suffered the attack detailed above in July 2024, and the researcher in question was David Leroy Ross.
Experiencing a ransomware attack is bad enough. Being accused of misinforming the public only adds to the bad vibe. Can this somehow get worse? It can if the whole incident turned into a public legal confrontation with the researcher that drew international attention.
Who is at fault?
It all started unremarkably enough. Columbus announced that it had suffered a cyberattack but had limited its scope by cutting network connectivity.
“The city is in the process of identifying individuals whose personal information was potentially exposed and will provide notice and additional guidance to all who are impacted in the coming weeks,” it announced on 29 July.
Normally, the story ends there, and everyone moves on. This time, things took a different turn.
In late July, the Rhysida ransomware group announced that it was behind the attack and had stolen 6.5TB of data from Columbus, including employee credentials, databases, and video camera data.
It demanded Bitcoin to the value of nearly $2 million. A week later when that was not paid the group leaked 260,000 files, almost half of the stolen data, on its dark web portal.
Yet at a press conference on the same day, Columbus mayor, Andrew Ginther, downplayed the attack’s severity, claiming that much of the leaked data was unusable.
When researcher Ross contacted the media to contradict that assertion, those words started to sound optimistic.
Eventually on the receiving end of a lawsuit, it was hard not to feel sympathy for Ross. The biggest concern was the effect this case might have on other researchers who see problems with a public organization’s cyberattack communication.
The city eventually dropped its case but its pursuit of Ross was an alarming outlier. This was not the first time researchers had become unpopular for pointing out the inconsistencies in an official story, but such cases remain the exception.
Nevertheless, the case highlights that public sector cyberattacks in the U.S. should be covered by stronger laws around accurate and timely disclosure.
Shooting the messenger might give officials a focus for their frustration. But it should never be allowed to distract from the need for better cyberattack security and response.
