stats count Columbus drops lawsuit against data leak whistleblower Connor Goodwolf, but with a catch – Meer Beek

Columbus drops lawsuit against data leak whistleblower Connor Goodwolf, but with a catch

COLUMBUS, Ohio (WCMH) — Nearly two months after the City of Columbus hit a whistleblower with a lawsuit and order to stop discussing its data leak, both sides have reached an agreement that will result in the case being dropped.

The Columbus City Attorney’s Office originally went after Connor Goodwolf, seeking damages “greater than $25,000,” after the cybersecurity researcher disproved Mayor Andrew Ginther’s claim that city data uploaded to the dark web was “encrypted or corrupted.” Hours after Ginther made the comments, NBC4 broke the news with Goodwolf that not only were city employees’ sensitive information exposed and accessible, but the public’s as well.

On Friday, however, the city attorney’s office announced it had filed a motion to dismiss its lawsuit against Goodwolf in Franklin County Common Pleas Court. This was the outcome the researcher had been hoping for since Sept. 11, when he agreed to a preliminary injunction that banned him from sharing any sensitive findings from the leak with the public.

Connor Goodwolf. (NBC4 Photo/Mike Klug)

“While I remain concerned about anyone having access to this sensitive data, conversations with (Goodwolf) have been positive, and all parties have agreed to move forward with an agreement that continues to prevent the dissemination of information, such as confidential law enforcement records, while protecting free speech,” said City Attorney Zach Klein.

Goodwolf was hoping for and received a dismissal with prejudice, meaning the City of Columbus cannot bring a case against him again for the same reason. But it came with a caveat, as the whistleblower had to agree to a permanent injunction that upheld the terms of the preliminary one. A rule that he will only be allowed to outwardly share data considered public records — with written approval from the city — remains in effect.

View the agreement, which is pending a judge’s approval, below:

In the weeks after suing Goodwolf, the city had faced mounting public pressure to reconsider the move. The Electronic Frontier Foundation contested the city’s claim that Goodwolf used “a level of sophistication” to get the data from the dark web, and also accused the local government of violating his First Amendment rights. Experts from across the international cybersecurity industry also penned an open letter to Klein, expressing opposition to the lawsuit.

The data leak stemmed from an attempted ransomware attack by the group Rhysida. Columbus IT staff first detected the hackers had accessed city servers on July 18, and Ginther said the team managed to stop Rhysida before they locked any systems down. However, Rhysida later launched an auction on the dark web, advertising over six terabytes of stolen data from the City of Columbus and seeking a starting bid of 30 bitcoin. When no one met the hackers’ asking price, Rhysida publicly leaked 3.1 terabytes for anyone to access on their website.

After the initial revelation about the severity of the leak, Goodwolf’s research into the exposed data went further and further. The lawsuit from Klein’s office did not pin the blame on Goodwolf for stealing the data originally. But documents in the case accused him of creating “serious public inconvenience and alarm” through showing the damage done, which Goodwolf had tried to warn the city about first.

“This is not about freedom of speech, or whistleblowing, this is about the downloading and disclosure of stolen criminal investigatory records,” Klein said Aug. 29. “This effect is to get him to stop downloading and disclosing stolen criminal records … It has gone to the next level to where there is witnesses, potential suspects, undercover officers whose data is out there.”

Separate from the case against Goodwolf, the City of Columbus is simultaneously facing two different class-action lawsuits over its handling of the ransomware attack. In filings, Columbus police officers accused the city of keeping them “in the dark” as around a dozen reported their bank accounts had been tampered with, and at least one undercover officer expressed concern his cover had been blown.

The city also expanded an offer of free credit monitoring to anyone, once it was proven the scope of the data leak extended beyond workers who initially received the coverage out of precaution. The deadline to sign up is approaching on Nov. 29.

As of Friday, Columbus Department of Technology Director Sam Orth told the city council that his team was still working to get systems back online from the cyberattack. Orth was originally expected to release a breach report by the end of October, outlining the extent of the attack and what was stolen, but gave an updated timeline going into December.

About admin