The Lawsuit Against a Security Researcher: Exposing the Truth Behind a Ransomware Breach

In a recent and controversial case, the City of Columbus has filed a lawsuit against a security researcher who, in my view, exposed critical flaws in the city’s cybersecurity practices. The researcher revealed that sensitive data, which the city claimed was secure and unreadable, was actually accessible in a legible format after a ransomware attack. This (smudging) disclosure challenges the city’s narrative and raises important questions about transparency, accountability, and the limits of relying solely on encryption.

The Ransomware Attack: Deconstructing the City’s Narrative

The situation began with a ransomware attack on the City of Columbus. The attackers demanded a ransom, threatening to release the stolen data if their demands weren’t met. The city, adhering to a policy of not negotiating with cybercriminals, refused to pay. As a result, the attackers made the data publicly available.

City officials reassured the public that the stolen data had been encrypted and was therefore unreadable and secure. However, the researcher’s findings tell a different story. Upon examining the publicly released dataset after not paying the ransom, the researcher discovered that the data was not only sensitive but also readable, indicating that it had been decrypted. This, in my opinion, directly contradicts the city’s statements and raises potentially serious concerns about their cybersecurity measures & disclosure policies.

Decryption: Likely Due to Full Access

The readability of the data suggests that the ransomware attackers likely had full access to the platform, allowing them to decrypt the data. Even if the data was encrypted at some point, the attackers’ access to the system enabled them to bypass or exploit existing encryption measures, making the data legible.

This highlights a crucial point: encryption, while essential, is not a silver bullet. If attackers gain full access to a system, they can often decrypt data, no matter how strong the encryption. This underscores the need for comprehensive security strategies that go beyond encryption alone and address vulnerabilities across the entire system.

The Researcher’s Role: A Necessary Confrontation

The security researcher’s decision to confront the city about its inaccurate statements was, in my opinion, not only justified but necessary for the public interest - leaving the methods as such aside. By publicly revealing the true state of the data, the researcher "ensured" that the public was informed about the real risks they faced. This kind of transparency is vital, especially in the aftermath of a cyberattack, where misinformation can lead to complacency and a false sense of security.

Rather than addressing these concerns, the City of Columbus chose to respond with a lawsuit. This action seems like an attempt to shift focus away from their own failings and blame the researcher for bringing these issues to light.

Note: I do not support nor condone the chosen methods of disclosure

Accountability and Transparency: The City’s Responsibility

To me, this case highlights the importance of accountability and transparency in cybersecurity, particularly for public institutions. Disclosure of information, particularly in the aftermath of a cybersecurity breach, is often misleading and can contain intentional misrepresentations designed to shield companies from liability claims. In the interest of self-preservation, some organizations may downplay the severity of incidents, omit critical details, or even fabricate aspects of the narrative to avoid potential legal consequences and public backlash. This practice is unethical and undermines trust.

All companies should adopt strict ethical and disclosure policies, committing to full transparency and honesty about the state of affairs. It’s essential that organizations resist the temptation to use "white lies" or rely on fixers to cover up mistakes, as integrity in communication is crucial for maintaining trust and accountability. The city’s initial claims that the data was unreadable and secure were misleading, and this misrepresentation could have serious consequences for those whose data was compromised.

If this incident had occurred in the European Union, the response would likely have been much different. Under the General Data Protection Regulation (GDPR), organizations are required to inform individuals of data breaches that affect their personal information. They must also take immediate steps to mitigate the damage and offer solutions to protect those affected. Had this incident occurred in the EU, the city would have been legally obligated to contact the individuals whose data was compromised and provide them with appropriate support and reparations.

This level of transparency and responsibility is what I believe should have been expected in this case as well. Instead of trying to cover up their failures, the City of Columbus should have focused on informing and protecting the individuals affected by the breach. This would not only have been the right thing to do but also would have helped restore public trust in their handling of the situation.

The Bigger Picture: Encryption, Collaboration, and the Path Forward

The lawsuit against the security researcher, in my opinion, is part of a broader issue in cybersecurity: the over-reliance on encryption as a catch-all solution. While encryption is a vital component of any security strategy, it is not infallible. When attackers gain full access to systems, they can often bypass encryption, as appears to have happened in this case. This reality underscores the need for a more holistic approach to cybersecurity, one that includes strong encryption but also addresses other vulnerabilities.

Additionally, this case highlights the need for greater collaboration between organizations and the security community. Security researchers play a crucial role in identifying and addressing vulnerabilities before they can be exploited on a larger scale. Rather than resorting to legal action, organizations should embrace transparency, acknowledge their shortcomings, and work with researchers to improve security practices.

The ugliness of the case: Let's talk about the Controversy Surrounding Columbus Cyber-Attack - A Closer Look at the City's Response and the Role of the Security Researcher

The breach, which exposed sensitive data including personal information of police officers, crime victims, and witnesses, has led to a contentious situation involving both the city's response and the actions of the security researcher.

While I absolutely do not condone the methods used by the security researcher to disclose information, it's important to take a step back and analyze the broader context of the situation.

The Breach and Its Fallout

So, on July 18, 2024, the City of Columbus discovered it was the victim of a massive cyber-attack orchestrated by a foreign criminal network. The attackers gained unauthorized access to critical IT infrastructure, including sensitive databases containing personal information from the City Attorney’s Office and the Columbus Division of Police. Following the breach, the stolen data was reportedly put up for auction on the dark web and eventually posted publicly.

The Security Researcher's Actions

The role of the security researcher in this situation has been controversial. According to the City’s complaint, the researcher accessed the stolen data and shared it with media outlets. They provided numerous interviews and even hinted at the existence of potentially more troubling data. This has resulted in the public disclosure of sensitive information, including the identities of undercover officers and minor victims.

While it's clear that the researcher’s actions have had significant repercussions, including exacerbating public concern and potentially compromising ongoing investigations, it’s crucial to understand the full scope of the issue.

The City's Response

The City's response has included a legal complaint against the researcher, citing their actions as harmful and claiming they interfere with the ongoing investigation. Points 11 through 17 of the complaint outline concerns about the researcher’s methods. Here are the fun ones:

13: From August 13, 2024 to date, Defendant has provided numerous interviews to local media outlets and has used the City’s stolen data to reveal the personal information of countless innocent individuals—visitors to City Hall, victims of domestic violence and other misdemeanor offenses, and lists of individuals allegedly compiled to prevent their access to City buildings, just to name a few.

14. Defendant’s actions of downloading from the dark web and spreading this stolen, sensitive information at a local level has resulted in widespread concern throughout the Central Ohio region.

15. Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so. The dark web-posted data is not readily available to for public consumption. Defendant is making it so.

16. At various times throughout his interviews, Defendant has alluded to the existence of potentially even more troubling data having been exfiltrated by the foreign criminals, baiting the news reporters and public alike to continue to turn to him for more details as to the stolen data.

17. On the afternoon of August 28, 2024, the City was notified by several media contacts that Defendant showed them records stolen by the foreign criminals which Defendant claims to have pulled down from the dark web and that reveal the identities of undercover police officers, minor victims of crimes and more.

Just as a comment: Point 15 of the complaint is rather absurd. It suggests that only individuals with specialized knowledge can access data on the dark web, which is far from accurate. In reality, tools like ChatGPT can provide guides on navigating the dark web and accessing stolen data. Once a breach occurs, the data is no longer secure and can be disseminated far beyond its original, intended access. The breach itself is the critical issue, not the means by which the data becomes available after the fact.

Breakdown

• Widespread Concern: The complaint suggests that the researcher’s actions have led to widespread concern throughout Central Ohio. However, this concern is largely a result of the initial breach and the data’s exposure by the cyber-criminals, not solely the researcher’s dissemination.
• Dark Web Accessibility: The complaint argues that the researcher made the dark web data more accessible. Yet, once data is on the dark web, it can be accessed and spread by various actors. The focus should be on how the data was compromised in the first place.
• Baiting Media: The researcher’s allusions to more troubling data might be seen as a way to highlight the severity of the breach and push for more immediate action. While their approach might be controversial, it also brings necessary attention to the breach.
• Revealing Sensitive Records: The complaint details the researcher revealing sensitive records. While serious, this again points to the data being initially exposed due to the breach. The city's focus on the researcher’s actions might overshadow the fact that the data was already at risk.

Reflections and Takeaways

Again, I feel it’s important to clarify that I do not support the researcher’s methods of disclosing the stolen data. Publicly revealing sensitive information, especially data involving minors and law enforcement personnel, can lead to serious risks and complications. Such actions, while intended to draw attention to the breach, can also cause significant harm.

However, it’s also critical to recognize that the city’s handling of the breach and subsequent legal actions against the researcher should be scrutinized. The focus on the researcher may be diverting attention from addressing the broader issues related to cybersecurity and breach management.

The real issue lies in the breach itself and how it was managed. Improving cybersecurity measures and ensuring robust data protection protocols are essential steps that need to be prioritized. The debate over the researcher’s actions should not overshadow the need for a comprehensive review and improvement of the city's cybersecurity framework.

Conclusion: A Call for Better Practices and Greater Transparency

The case against the security researcher underscores, in my view, the need for more honest and responsible handling of cybersecurity incidents. While encryption is an important tool, it is not a cure-all, especially when attackers have full access to systems. The City of Columbus’s misleading statements and subsequent legal action against the researcher reflect a failure to prioritize the safety and privacy of its citizens.

Moving forward, organizations must adopt a more comprehensive approach to cybersecurity—one that includes strong encryption, rigorous access controls, and a commitment to transparency. In cases of data breaches, they should take responsibility, inform those affected, and provide the necessary support to mitigate any potential harm. By doing so, they can rebuild trust and better protect against the evolving threats in today’s digital landscape.

As for the security researcher, they should have handled the situation with greater professionalism, using controlled and responsible methods to disclose the breach. Although their intention to warn the public was valid, their approach—marked by public disclosures and media involvement—was flawed and could have exacerbated the risks. Even if their warnings were ignored, a more strategic and collaborative approach with authorities would have been preferable. Their actions, though aimed at raising awareness, lacked the necessary discretion and professionalism. However it’s evident that the security researcher, despite their seemingly controversial approach, acted in good faith. They reached out to the City of Columbus to offer assistance and draw attention to the breach, hoping to prompt a more effective response. However, their attempts to engage with city officials went unanswered, leaving them feeling compelled to publicize the issue.

The fun fact here is: This TRO and the Cities' response makes it worse from an information perspective and everything else https://www.youtube.com/watch?v=kHepYMeMG4w actually makes it worse. The city even explains what is in the dataset making it even more targetted for bad actors.

All in all it’s crucial to address breaches with transparency and proactive measures rather than resorting to fixers or lawyers to obscure the truth or target those who reveal uncomfortable facts. The focus should be on managing the breach effectively and safeguarding the individuals affected, rather than paying ransom demands, which only fuels criminal activity. The priority must be on enhancing security measures, protecting sensitive information, and mitigating harm to victims. Ignoring or covering up the breach does not solve the problem; addressing it head-on and supporting those impacted is the responsible course of action.

But the city did at least do one thing right... By not paying the ransom!