Deal made with whistleblower after Columbus' data leak draws global attention
COLUMBUS, Ohio (WCMH) -- A whistleblower who revealed the danger of a ransomware attack and subsequent data leak in Columbus, will now only be permitted to share his research on compromised sensitive information with city officials that are suing him.
City Attorney Zach Klein announced Wednesday evening that his office reached an agreement with Connor Goodwolf on a preliminary injunction. Before making the deal, the researcher proved the severity of information stolen by the Rhysida ransomware group from Columbus servers, and alerted the public they were at risk.
"The city and our counsel met with (Goodwolf) several times over the past week," Klein said. "While the content of these conversations is confidential, I can say that these discussions were positive and led to an agreement submitted to the court that prevents sensitive data from being disseminated, protects public safety and respects free speech."
Klein's office said the agreement protects sensitive data from being spread while allowing Goodwolf "to maintain a dialogue with the city regarding the breach." The text of the document itself keeps Goodwolf's ban from sharing any sensitive information from the leak publicly, which remains freely accessible on the dark web as of Wednesday. However, it does allow him to show that data to certain Columbus police officers or the city's attorneys, and openly discuss any part of the leak that the city agrees falls under the Ohio Public Records Act.
The agreement will stay in effect until the "final resolution" of the city's lawsuit against the whistleblower. The city has not dropped the case seeking at least $25,000 in damages from Goodwolf, and it doesn't have a trial assignment scheduled until September 2025. But the city did extend Goodwolf's time to file a response to the lawsuit until Oct. 30. He has yet to retain an attorney to defend him, according to Franklin County Common Pleas Court records.
Read the preliminary injunction agreement document below:
The City of Columbus has received attention from around the world as it works to recover from the ransomware attack first detected on July 18. After Mayor Andrew Ginther told the public the "encrypted or corrupted" data stolen was nothing to worry about, Goodwolf and NBC4 broke the news that hundreds of thousands of people’s private information was compromised. As his research went further and further into three terabytes released by Rhysida, the city hit him with the lawsuit and a restraining order.
Cybersecurity industry calls on Columbus to reconsider lawsuit
Since Columbus took legal action against Goodwolf, NBC4 has heard from experts in the information security community that encountered similar actions from local governments before.
"It was very concerning. We felt that it set a very bad precedent, to the degree that I can speak for the security community," said Jeff Nathan, a security researcher and Netography's director of detection engineering.
One source shared his story of being hired by the state of Iowa to test the security of a county court system, before it led to his arrest. Gary DeMercurio was an employee with a security firm that tested technical and physical security flaws that could put data at risk. He's now the CEO of Kaiju Security.
"If I've got paper on my desk, that's information," DeMercurio said. "If I've got paper in my computer, that's information. And part of the information technology department is to make sure that information is secure."
The company was hired by the state of Iowa in 2019. DeMercurio and another team member were sent to do their job in the Dallas County, Iowa Courthouse.
"We do what is called red teaming, where we go in and we will test them just like we're a ransomware gang or just like somebody who wants to try to steal, exfiltrate data or even physical stuff," DeMercurio said.
Then, the courthouse alarm went off and they were arrested.
"We have documentation that we carry around with us that says, we're this person, we're from this company, we're doing these things and these are our contacts and these people who hired us," DeMercurio said.
Iowa acknowledged miscommunication with county authorities, but it took six months to get the charges dropped.
"They literally waited until the very last day that they could drop charges before we were due in court back in Iowa," DeMercurio said.
DeMercurio said through his experience, he felt the support of the security research community.
While his situation is different from Goodwolf’s since he was working for an employer, he’s hoping his story will help bring attention to how good faith security research helps the public.
DeMercurio is not alone. Nathan penned an open letter to Klein, which has racked up dozens of signatures from professionals in the industry.
"I was talking to other people in some of these small communities where we share information, we share intelligence that helps us defend against active attacks and the sentiment was, 'yeah, that this was a really bad thing,'" Nathan said.
The letter expresses concern about the civil suit against Goodwolf. It outlines what the Tor, commonly referred to as the "dark web," is, and disputes claims by the mayor, city attorney and director of the department of technology that accessing it requires a highly specialized skill set. In actuality, the Electronic Frontier Foundation has called getting on the dark web as easy as "downloading an app."
Nathan's letter says data published by ransomware criminals is easy and free to access, which they say has been "demonstrated countless times by people of all ages and skills, including children."
"Cybersecurity is pretty nebulous, and it makes people think of folks in black hoodies or racing against the clock in an important television show or whatever it might be," Nathan said. "But what it is, is it's just a bunch of people who are really, really dedicated to filling a really major void."
The open letter to Columbus is not only getting attention across the U.S., but also across the globe. Companies represented on the list have headquarters in countries like France, Norway and India.
"We were looking for representation not just among people who do offensive security -- that is sort of the proactive testing of companies and governments networks, or people who distribute offenses -- but also people who engage with policymakers to help inform them," Nathan said.
NBC4 contacted Klein's office about this letter. His team sent a statement back:
“I respect the opinions shared and agree that good faith security research can play an important role in the response to a cyber intrusion. Our priority remains acting in the best interest of Columbus’ citizens and law enforcement, and we have tried to balance respecting first amendment rights with protecting public safety, including the potential dissemination of identities of undercover police officers and information on active criminal investigations. That’s why our case is focused on preventing the dissemination of this data and not on restricting (Goodwolf's) ability to discuss the intrusion or even describe the kinds of data exposed.”
City Attorney Zach Klein's Office