City officials in Columbus, Ohio, have opened a second front in their ongoing investigation into a ransomware attack in mid-July that disrupted some city services and led to by the notorious Rhysida threat group to leak some stolen sensitive data on the dark web.

City Attorney Zach Klein on August 29 filed an eight-page complaint against Ohio-based cybersecurity researcher David Leroy Ross Jr., who has disputed the claims by Columbus Mayor Andrew Ginther that the city’s IT staff had successfully detected and shut down the attack and that any data that was exfiltrated by Rhysida was either encrypted or corrupted and therefore wasn’t usable or a threat to the city employees or residents.

A Franklin County judge the same day granted Klein’s request for a temporary restraining order against Ross, banning him from accessing, downloading, or disseminating any of the stolen files that were made available on the dark web.

Ross – who goes by the name “Connor Goodwolf” in his professional work – disputed Ginther’s characterization of the 6.5 terabytes of data stolen by Rhysida, saying the data included personal information of both city employees and residents, such as driver’s license and Social Security numbers as well as information about Columbus police officers and victims and witnesses of crimes

At least two lawsuits reportedly having been filed in the wake of the ransomware attack against the capital city, which has more than 913,000 residents and is the largest city in Ohio.

The Threat of the Stolen Data

The legal dispute centers around whether Ginther and other city officials were being upfront with city employees and residents about the extent of the threat resulting from the ransomware attack, which Rhysida took responsibility for almost two week later. The threat group said that among the data taken was internal logins and passwords, emergency services applications for the city, and city camera video feeds.

Rhysida put the 6.5TB of information up for sale for 30 BTC.

In a July 29 statement, Columbus officials said the city’s IT department “quickly identified the threat and took action to significantly limit potential exposure, which included severing internet connectivity.” A week later, the threat group, unsuccessful in convincing the city to pay a ransom, put a portion of the stolen the dark web.

However, the city’s complaint against Ross said the threat group seized information from two backup databases that included “large amounts of data” gathered by prosecutors and police about misdemeanors dating back to 2015. It included sensitive personal information about police officers – including undercover officers – as well as “crime victims of all ages, including minors, and witnesses to the crimes the City prosecuted from at least 2015 to the present.”

Ross accessed the data that was published online and spoke to the media numerous times about what he found. Reporters took the information and began contacting people whose names were included in the stolen files.

Invasion of Privacy, Negligence Alleged

The lawsuit accuses the cybersecurity expert of invasion of privacy, negligence, and civil conversion – taking information belonging to the city and using it to his own benefit. The City Attorney’s Office alleges that Ross used the information to bolster himself, accusing him of suggesting to the media that even more “troubling data” may have been exfiltrated, “baiting the news reporters and public alike to continue to turn to him for more details as to the stolen data.”

In a statement, Klein said he respected the judge’s decision to issue a temporary restraining order, adding that he has “a duty to do whatever I can to protect police, victims, undercover officers and the public when they are threatened with harm. This decision is a positive step to stem the dissemination of stolen confidential personnel and victim data—information that compromises active investigations and poses a threat to the lives and livelihoods of real people.”

A Question of Truth

The complaint has kicked off another controversy in an already charged situation, with Ross’ disclosures having some questioning statements by Ginther and other city officials about the effect the ransomware attack could have on some in the city.

In a column in the city’s largest newspaper, Amelia Robinson, The Columbus Dispatch’s opinion and community engagement editor, wrote that she was alerted by a credit card monitoring program after the attack that her information was on the dark web, though she added the alert wasn’t what prompted her to take immediate action.

“I likely would have dragged my feet if not for a whistleblower who calls himself Connor Goodwolf professionally and in the ‘furry’ world,” Robinson wrote. “It is alarming that this cybersecurity expert is now in the city’s crosshairs.”

She noted that Ginther said he was “furious” about the attack, but wrote that “he was not at all forthcoming. It wasn’t just the ‘city’s’ information that was stolen, mine and perhaps yours was, too. The little information the city shared with those actually victimized, the people who live in, work for and visit the city, was lacking or flat out wrong. We did not and would not have known we needed anything to be protected from if not for Goodwolf telling the media about the dangers facing the public.”

In an interview with the local NBC4 news station, Aaron Mackey, director of free speech and transparency litigation for the Electronic Frontier Foundation (EFF), said the city’s actions violate Ross’ right to inform Columbus residents about “this very significant privacy breach that is the result of what sounds like the city’s own inaction or inability to properly secure its data. Rather than thank this individual for coming forward and actually explaining to the public that this is a significant problem, the city has resulted to basically violating his First Amendment rights and claiming that what he’s done is some sort of illegal act.”