Full Report
Fox28 reports: A Franklin County judge dismissed a lawsuit against the city of Columbus, which claimed it failed to follow industry standards and federal guidelines for data security. The lawsuit was filed last year after the ransomware group Rhysida claimed it stole over 6 terabytes of city data and posted it for sale. The incident caused the city to shut down multiple systems... Source
Analysis Summary
# Incident Report: Columbus Ransomware Attack and Subsequent Lawsuit Dismissal
## Executive Summary
The City of Columbus, Ohio, suffered a significant ransomware attack attributed to the threat group Rhysida, resulting in the exfiltration of over 6 terabytes of city data and a multi-month disruption to critical systems. While the immediate incident impacted municipal operations and exposed sensitive employee/resident data, subsequent civil lawsuits filed by affected parties—including city employees—against the city for data security failures were dismissed by a Franklin County judge.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the lawsuit was filed "last year" relative to the October 2025 article date, implying discovery occurred sometime before that.
- **Incident Date:** Not explicitly stated, but occurred before the filing of the lawsuit "last year."
- **Affected Organization:** City of Columbus, Ohio
- **Sector:** Government (Municipal)
- **Geography:** Columbus, Ohio, USA
## Timeline of Events
### Initial Access
- **Vector:** Ransomware attack attributed to the Rhysida group.
- **Details:** Attack initiated the compromise, resulting in the theft of data.
### Lateral Movement
- **Details:** The attack forced the city to shut down multiple systems, suggesting successful internal movement prior to impact realization.
### Data Exfiltration/Impact
- **Details:** Rhysida claimed to have stolen over 6 terabytes of city data and posted it for sale. Alleged consequences included unauthorized purchases, fraudulent bank account openings, and threatening ransom/data exposure emails directed at victims. Data included information pertaining to city employees, specifically one undercover police officer and one firefighter.
### Detection & Response
- **Details:** The city confirmed the breach and engaged with the Rhysida group prior to the dark web sale. The operational impact required months to bring some systems back online. A civil lawsuit was filed alleging failure to meet industry standards.
- **Response Actions:** The city reportedly tried to negotiate or communicate with the hackers. The city faced a civil lawsuit which was ultimately dismissed by a judge.
## Attack Methodology
- **Initial Access:** Ransomware deployment (specific vector against Columbus unknown).
- **Persistence:** Not detailed, but necessary for 6TB exfiltration.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed, though sensitive information was obtained.
- **Discovery:** Not detailed.
- **Lateral Movement:** Implied by widespread system shutdowns.
- **Collection:** Over 6 terabytes of city data collected.
- **Exfiltration:** Data posted for sale on the dark web by Rhysida.
- **Impact:** System outages, data exposure, potential financial fraud against individuals.
## Impact Assessment
- **Financial:** Not explicitly quantified, though city resources were used for system recovery (taking months) and the group demanded ransom.
- **Data Breach:** Over 6 terabytes of city data, including information on city employees (undercover officer, firefighter) and residents.
- **Operational:** Significant disruption, requiring the shutdown of multiple systems and months for remediation.
- **Reputational:** The incident drew global attention, exacerbated by whistleblower disputes and the subsequent dismissal of civil lawsuits against the city.
## Indicators of Compromise
Due to the nature of this report focusing on the legal outcome of a past event, specific IoCs (IPs, URLs, hashes) were not detailed in the summary provided.
## Response Actions
- **Containment:** Shutdown of multiple affected systems.
- **Eradication:** Not detailed.
- **Recovery:** Took months to restore some systems to full operation.
- **Legal Response:** The city defended itself against civil action rooted in security negligence claims.
## Lessons Learned
- The incident highlighted potential failures in the City of Columbus's data security posture, leading to a lawsuit alleging non-adherence to industry standards and federal guidelines.
- The incident involved significant friction regarding communication, as a whistleblower attempting to inform the public was reportedly sued by the city.
- State law appears to shield municipalities from civil liability for data security failures, even when data is exposed.
## Recommendations
- Review and significantly upgrade data security protocols to meet or exceed all relevant industry standards and federal guidelines.
- Establish transparent and clear communication protocols in the event of a major data breach, balancing necessary confidentiality with public and employee notification requirements.
- Address any known internal vulnerabilities exploited during the attack to prevent recurrence.