A Dayton cyber security expert is criticizing Columbus' response to the ransomware attack that started July 18.
Shawn Waldman, CEO of Secure Cyber, a Dayton cyber security company, said the city should be communicating with the public about what happened and providing education to the people whose data has been compromised.
Waldman said it is becoming increasingly difficult to fight against ransomware attacks that steal data and hold devices hostage with encryption. But, he said the city should let the public know how they're handling it.
On Thursday, Mayor Andrew Ginther criticized speculation about the incident, after the criminal hacker group Rhysida began releasing data and police officers started reporting fraudulent activity on their accounts. Rhysida, which has taken credit for the hack, has listed data it said it stole on the dark web and asked bidders to offer 30 bitcoins, or close to $2 million for the data.
Daniel Maldet is the owner of the Columbus office of CMIT Solutions. Maldet does not work for the city, but has been monitoring the situation. Maldet said he is seeing 3.1 terabytes of the 6.5 terabytes the group said it stole from the city, which is about 45% of the data.
Ginther said in a statement, "With much respect, I share with you that speculation by individuals external to the investigation may not benefit the objective of educating the public on this incident."
"Claims being made by sources external to the investigation about the actions of the threat actor do not match the assessments of cybersecurity experts and law enforcement actively working on the case," Ginther said.
Ginther also said, "We appreciate your understanding that what we can say remains limited and this situation continues to evolve."
Waldman said the city is creating speculation by not fulfilling its duty to keep the public updated.
"I know the city's getting irritated at the media, what they call speculating. But, you know, in the absence of any information and the public and the employees getting irritated, I don't know what they expect people to do other than just, you know, shut up, sit down, be quiet and wait for us to give you whatever we give you," he said.
Waldman said it will take time to go through the data breach forensically, but there is information that could be shared with the public.
"I'd immediately tell them, without jeopardizing the case. Walk the public through the steps. Educate them on how these work. What happens? What's going on behind the scenes," Waldman said. "I would proactively have press conferences at least once a week. So I would be open with the media. I would encourage them to come in and answer questions. I would be bringing all relevant people as part of the investigation and we would answer the questions to the best of our ability, but we would offer the ability to be transparent as much as possible."
Waldman teaches cyber security to local governments and has worked as a police officer and 911 dispatcher.
"I mean, you have to be open. What are some of the things that could happen with people that have your information, so that we can educate people on what to look for and what to be aware of," Waldman said.
If he were advising the city, Waldman said he would insist on keeping the public informed by talking to the media and posting daily updates on a designated and accessible site, like a social media page.
"What is the status of city services. What's up? What's down? What can the public do and not do? How many devices are offline and not available? How many devices do you have to restore from backup," Waldman said.
Waldman said cyber security experts are in high demand and that leads to high salary offers from private companies, leaving few qualified in the field in local governments who can combat a sophisticated attack. After the data is breached, there is little that can be done to make sure important information isn't leaked or sold. Even paying a ransom isn't a guarantee.
"There's no honor among thieves, right? So even if you pay them, you know, they're not going to be like, oh, okay, well, here's all your information back. And we promise to never give it to anyone because you paid us," Waldman said.
Waldman also said city employees should be locking their credit on all three monitoring sites, and also take advantage of credit monitoring services, which the city is offering to employees.
Meanwhile, the Columbus police union is funneling its members to a lawyer if they believe their bank accounts or other private information was hacked.
Brian Steel, president of Fraternal Order of Police Capital City Lodge No. 9, told WOSU Thursday the union is sending members to a lawyer to determine whether they should file lawsuits against the city.
Steel said members have told him money has been missing from bank accounts. Some have told him that someone has tried to open credit cards in their names.