Published on July 29, 2024
The City of Columbus’ continuing investigation of a July 18 cybersecurity incident has found that a foreign cyber threat actor attempted to disrupt the city’s IT infrastructure, in a possible effort to deploy ransomware and solicit a ransom payment from the city. Fortunately, the city’s Department of Technology quickly identified the threat and took action to significantly limit potential exposure, which included severing internet connectivity. While the threat actor’s activity was disrupted, an investigation is ongoing to determine the amount of city data potentially accessed.
Once the threat actor activity was identified, the city immediately engaged the FBI and Homeland Security to further protect its systems and data. The incident remains an ongoing situation and the investigation is in its earliest stages. The city is in the process of identifying individuals whose personal information was potentially exposed and will provide notice and additional guidance to all who are impacted in the coming weeks.
“The City of Columbus was the victim of a crime committed by an established, sophisticated threat actor operating overseas. I’m grateful for the swift and bold action of our Department of Technology, the FBI and Homeland Security to protect our IT systems, our residents and our employees,” said Mayor Andrew J. Ginther. “We continue to focus on restoring city services. We appreciate the grace our residents have offered us and the dedication of our employees working to keep our city running. We will support a thorough investigation and help to educate other cities on how they can avoid falling victim to similar attacks.”
The Department of Technology, working with federal authorities and cybersecurity experts, has been engaged in a methodical process to ensure that its technology systems are hardened against further breach before bringing them back online. The 9-1-1 and 3-1-1 systems have remained operational throughout the efforts to protect and restore IT connectivity. External email is now operating on city devices inside city buildings.
Additional and ongoing forensic investigation has uncovered that the threat actor gained access to the city’s system through an internet website download and not an email link, as was originally believed to have been the access point.