Columbus Mayor Andrew J. Ginther said Saturday during a media briefing that people should expect more bad news in the coming days and weeks about the ransomware attack resulting in reams of data and personal information about city employees and private citizens leaked onto the dark web.
The press conference marked the first time the mayor publicly acknowledged that private citizens’ data was included in the massive data breach that likely compromised a half-million Columbus residents, putting their finances at risk.
Ginther said Saturday he hasn’t yet reviewed a single written report from IT professionals investigating the incident.
The mayor also declined to say who is giving him the technical evaluations that have repeatedly turned out to be false or, at minimum, an underestimation of the damage done. He also couldn’t explain why it took him four days to initially acknowledge that anything unusual had occurred except to say they were investigating the extent of the incident.
The press conference comes days after a local cybersecurity expert contradicted many of Ginther’s earlier assurances about the nature of the data stolen by a group known for attacking municipal governments and institutions that lacked appropriate IT security.
The breach has already resulted in lawsuits, and on Friday, the city announced Gov. Mike DeWine deployed the Ohio National Guard to help Columbus in getting a handle on the sprawling issue. Ginther said he made the request in late July.
“You know, there’s a team of folks who have been working with us since the beginning,” he said. “Ultimately, I’m the mayor. The buck stops with me.
“It was the best information that we had at the time. Clearly, we have discovered that that was inaccurate information, and I have to accept responsibility for that.”
Asked if the information he had received was in the form of written reports he could share with the news media, Ginther said he had not been given any written reports to date on an issue involving multiple systems, hundreds of thousands of victims, and potentially millions of dollars in taxpayer expenses.
Ginther said the city is still trying to figure out why IT investigators underestimated the extent of the damage done and the breadth of the compromised information.
Asked what he would tell people who think he’s not told the truth about the situation, Ginther said: “I accept full responsibility for sharing the best information that I had at the time. We learned that that information was inaccurate,” apparently from the news media, citing citizen cyber sleuths. He said the expansion of the credit monitoring should demonstrate his commitment to protecting residents.
The mayor also couldn’t give specifics about why, during an interview Friday, he initially told a television reporter that he wasn’t prepared to extend credit monitoring from city employees to private citizens who may have had their accounts compromised by foreign cybercriminals but just hours later unveiled just such a program, which the mayor said Saturday would cost millions of taxpayer dollars.
Credit monitoring for Columbus cyberattack will cost taxpayers millions
Ginther announced Friday afternoon that the city would offer free credit monitoring to all city residents due to personal data being stolen and put on the dark web during a ransomware cyberattack last month.
But he did allude to more bad news being imminent and the “investigation” continuing for potentially several more months. Ginther said that the city is focusing first on restoring systems so that it can operate. While the city had invested about $12 million into cybersecurity over the last five years, “clearly we need to do more.”
“Based on what we know at this point, we believe that other information is out on the dark web or could potentially be put out on the dark web,” Ginther said. Although that can’t be confirmed, they went ahead and expanded the credit monitoring to citizens on the assumption that more personal info “will be out there.”
“We would encourage anyone that has interacted with the city of Columbus, including the Municipal Court, to go to the website that the mayor has mentioned” to sign up for credit monitoring, and that serves as the official notification required by the city under state law to notify individuals that their personal information may have been compromised, City Attorney Zach Klein said.
“I’ll be the first to admit I am not an IT expert, I’m a mayor,” Ginther said at a media briefing on the City Hall campus. “And my number-one job is to make sure we do everything in our power to protect the hardworking families of Columbus who have been the victims of this attack.”
Only last Tuesday, Ginther had announced that data stolen in the incident was encrypted and useless to the cyber criminals, only to have citizen cyber trawlers who have been digging up evidence that the stolen information runs the gamut from scanned photo ID information of every person who had attended a City Council meeting in the last decade to juvenile court orders of protection, to potentially bank accounts.
“More information has been accessed” by cyber criminals
Ginther still couldn’t quantify Saturday how many city computer systems were infected and the range of data types stolen. “We’ve had a number of systems already restored,” he said, and is working around the clock to restore the rest without putting more data at risk “by restoring systems too quickly.”
He did confirm that the city now knows that the city prosecutor’s database has been hacked and information stolen, “which includes information of individuals involved with the justice system, including defendants, victims and witnesses.
“I want to acknowledge how concerned I am,” he said. “…At this point, I can unfortunately say that we will find that more personal information has been accessed or published by these criminals.”
And after ducking questions about the attack for weeks — as have other elected city officials on the exclusively Democrat City Council, which ostensibly acts in an oversight role over the mayor — Ginther said, “As we continue to learn more, we’re going to be forthcoming with as much verifiable information as possible amid an active investigation.”
The new credit monitoring program now available to every resident and anyone else whose data was potentially compromised comes with a $1 million insurance policy against cyberfraud, Ginther said.
Klein said it his office’s understanding that by taking the city up on the policy, citizens are not signing away any rights to sue for damages. The policy is available through the end of November.
@ReporterBush
This article originally appeared on The Columbus Dispatch: Columbus Mayor Andrew Ginther: Expect more bad news about cyber attack
Source Agencies
