In the summer of 2024, the city of Columbus, the capital of the state of Ohio, became the victim of a large-scale cyber attack, as a result of which the personal data of more than 500,000 current and former residents were stolen. The incident drew significant criticism from the public and cybersecurity experts, as well as lawsuits from victims, including police officers, whose bank accounts and email inboxes were hacked.
The July 18 cyberattack was carried out by the Rhysida group, which claimed to have stolen 6.5 terabytes of data from city systems. The data leak included personal information of city residents, including names, dates of birth, addresses, social security numbers, bank accounts and driver’s license information. Some of that data, including records from the prosecutor’s office database, ended up on the black market.
City officials initially assured citizens that no data breach had occurred and said the attack had been “repelled” and the potential impact minimized. However, when cybersecurity researcher Conor Goodwolf accessed the stolen data and made it public, the city sued him. After public outrage, the lawsuit was withdrawn.
The city has worked to restore its systems and cooperated with law enforcement, but some services are still down after the attack. Victims have been offered two years of identity theft protection, and an investigation into the incident is ongoing. This incident served as a warning to other municipalities about the importance of cyber security and transparency in the fight against cyber attacks.