Man
Professional
- Messages
- 3,093
- Reaction score
- 635
- Points
- 113
The actions of the city of Columbus reveal the pitfalls of ethical hacking.
The city of Columbus, Ohio, has confirmed that the data of half a million people was compromised and possibly stolen in a summer cyberattack using the Rhysida ransomware.
According to the city, exactly 500,000 people could have been affected by the data breach, an unusually round figure for such incidents. This is the first time that Columbus authorities have disclosed the scale of the attack and data breaches. Rhysida said that after refusing to pay the ransom, it uploaded about 3 TB of stolen files to its blog, but the exact number of victims is difficult to determine.
The disclosure of the scale of the incident was made possible by a report to the Maine attorney general, while the notices sent to potential victims on October 7 did not contain information about the number of victims or the types of data leaked. These include names, dates of birth, addresses, bank details, driver's licenses, social security numbers, and other personal information.
Security researcher Connor Goodwulf (David Leroy Ross), who downloaded the Rhysida file, said that among the sources of the data was probably the server of the city's prosecutor's office. He noted that among the victims were victims of domestic violence, whose names and addresses may now be at risk.
Specialists from the Columbus Department of Technology blocked unauthorized access and initiated an investigation by involving third-party experts and notifying law enforcement. Despite the measures taken, the leak caused a public outcry.
In August, the city filed a lawsuit against Ross himself, citing an attempt to prevent the possible dissemination of data. The authorities demanded that the researcher pay more than $25,000 in damages and completely stop disclosing information about the hack.
The decision of the Columbus authorities to file a lawsuit against the researcher has sparked a wave of discussions about the limits of ethical hacking and its role in protecting society. White hat hackers, or cybersecurity specialists, often face a difficult dilemma: divulge vulnerabilities in the name of protecting people or avoid possible lawsuits and punishment.
Many believe that transparency and timely public awareness of such incidents help minimize damage by preventing new attacks. But in this case, Columbus's actions showed that even good intentions can turn against a researcher, raising questions about fairness in the field.
Fortunately, two months later, the parties came to an agreement, and the city lawsuit will be withdrawn. However, in order to finally dismiss the case, Goode Ross agreed to a permanent ban on the disclosure of information, except in cases where it is already public and approved for publication by the city.
Casey Ellis, founder of Bugcrowd, comments that the case could set a dangerous precedent that would deter other researchers from publicly disclosing vulnerabilities in the public interest. According to him, such proceedings can negatively affect the cybersecurity community.
Source
The city of Columbus, Ohio, has confirmed that the data of half a million people was compromised and possibly stolen in a summer cyberattack using the Rhysida ransomware.
According to the city, exactly 500,000 people could have been affected by the data breach, an unusually round figure for such incidents. This is the first time that Columbus authorities have disclosed the scale of the attack and data breaches. Rhysida said that after refusing to pay the ransom, it uploaded about 3 TB of stolen files to its blog, but the exact number of victims is difficult to determine.
The disclosure of the scale of the incident was made possible by a report to the Maine attorney general, while the notices sent to potential victims on October 7 did not contain information about the number of victims or the types of data leaked. These include names, dates of birth, addresses, bank details, driver's licenses, social security numbers, and other personal information.
Security researcher Connor Goodwulf (David Leroy Ross), who downloaded the Rhysida file, said that among the sources of the data was probably the server of the city's prosecutor's office. He noted that among the victims were victims of domestic violence, whose names and addresses may now be at risk.
Specialists from the Columbus Department of Technology blocked unauthorized access and initiated an investigation by involving third-party experts and notifying law enforcement. Despite the measures taken, the leak caused a public outcry.
In August, the city filed a lawsuit against Ross himself, citing an attempt to prevent the possible dissemination of data. The authorities demanded that the researcher pay more than $25,000 in damages and completely stop disclosing information about the hack.
The decision of the Columbus authorities to file a lawsuit against the researcher has sparked a wave of discussions about the limits of ethical hacking and its role in protecting society. White hat hackers, or cybersecurity specialists, often face a difficult dilemma: divulge vulnerabilities in the name of protecting people or avoid possible lawsuits and punishment.
Many believe that transparency and timely public awareness of such incidents help minimize damage by preventing new attacks. But in this case, Columbus's actions showed that even good intentions can turn against a researcher, raising questions about fairness in the field.
Fortunately, two months later, the parties came to an agreement, and the city lawsuit will be withdrawn. However, in order to finally dismiss the case, Goode Ross agreed to a permanent ban on the disclosure of information, except in cases where it is already public and approved for publication by the city.
Casey Ellis, founder of Bugcrowd, comments that the case could set a dangerous precedent that would deter other researchers from publicly disclosing vulnerabilities in the public interest. According to him, such proceedings can negatively affect the cybersecurity community.
Source
