The city of Columbus has obtained a temporary restraining order against cybersecurity expert David L. Ross Jr., also known as Connor Goodwolf, in a bid to prevent him from accessing, downloading, and disseminating sensitive files stolen from the city’s server farm during a ransomware attack.
City Attorney Zach Klein had requested the order, citing the need to protect police, victims, and the public from potential harm.
Controversy Surrounding the Restraining Order
The restraining order has sparked controversy, as Ross has been instrumental in alerting the public about the extent of the data breach. His disclosures have often contradicted statements made by city officials, including Mayor Andrew Ginther, about the severity of the hack.
Ross argues that the city is trying to prevent him from exposing the full extent of the data breach, which he believes has been mishandled by the city’s IT department. He stated that the city’s data breach consultant tried to hire him earlier, which he suspects was an attempt to prevent him from speaking publicly about the breach.
He plans to seek legal representation and has suggested the possibility of a lawsuit against the city for infringing on his First Amendment rights. The online court docket doesn’t permit the public to see that document, and the file still lists Noble’s name as the judge in the case.
Goodwolf had been alerting the city’s public that personal information on city officials and citizens, including driver’s license and Social Security information, as being among the data that had been hacked and posted online after the city refused to pay ransom negotiations. The files are further stated to include data on victims of criminal acts such as domestic violence victims, and personal information about undercover Columbus police officers.
Columbus Breach Stated to Include Personal Data
City Attorney Zach Klein, justified and welcomed the decision from Common Pleas Judge Kim Brown, “As City Attorney, I have a duty to do whatever I can to protect police, victims, undercover officers and the public when they are threatened with harm.”
“This decision is a positive step to stem the dissemination of stolen confidential personnel and victim data—information that compromises active investigations and poses a threat to the lives and livelihoods of real people,” he added.
Daniel Maldet, from the Columbus office of CMIT Solutions, though not directly involved with the case’s investigation, shed further light on the breach‘s extent. He stated, “They are showing that 3.1 TB (terabytes) of data is released – 258,270 files which is 45% of the stolen data. They show, ‘not sold data was uploaded, data hunter, enjoy’. This might suggest that 55% of the data was sold — that’s just a guess.”
Earlier in January 2023, the Columbus City Council had approved a $2.5 million contract for ‘Cybersecurity Products and Services’ after receiving proposals from five different firms.