Columbus, November 14, 2024 – Following a ransomware attack in July by the Rhysida group, the city of Columbus, Ohio, has faced ongoing data breaches and public scrutiny, culminating in threats from a hacker known as Nam3L3ss.
The ransomware attack resulted in outages for public agency systems, although Columbus officials initially claimed no data was encrypted. However, Rhysida alleged the theft of 6.5 terabytes of data, with 260,000 files published after the city refused to pay the ransom.
Columbus Mayor Andrew Ginther dismissed the leaked data’s value, prompting cyber researcher David Leroy Ross, known as Connor Goodwolf, to challenge this assertion. In response, the city filed a lawsuit against Goodwolf for allegedly sharing stolen data, which they deemed illegal and careless. The lawsuit was later dropped after a settlement, which included a permanent injunction restricting Goodwolf’s ability to share data without city approval.
Recently, Nam3L3ss leaked employee data from several companies affected by the MOVEit vulnerability, including Amazon and McDonald’s. The hacker cited the city’s persecution of Goodwolf as a catalyst for these actions, declaring in a manifesto that he is not affiliated with any threat group and merely monitors unprotected data online. He criticized companies and government agencies for failing to encrypt sensitive information during transfers.
Nam3L3ss specifically targeted Mayor Ginther in his manifesto, asserting that he would release unredacted data, including sensitive information from police departments, in retaliation for the city’s actions against Goodwolf. The hacker emphasized the responsibility of organizations to ensure the security of personal identifiable information (PII) and criticized the city for its handling of the situation.
Despite the lawsuit’s dismissal, Nam3L3ss continues to leak data from major organizations, receiving mixed reactions from the hacking community. Some users expressed support for his actions, while others raised concerns about Goodwolf’s past, linking him to allegations of inappropriate behavior.
The ongoing situation highlights the complexities of cybersecurity, data privacy, and the repercussions of inadequate data protection measures within public and private sectors.
