A hot potato: Security researchers play a vital role in protecting the internet from cyber threats. They locate and disclose vulnerabilities in critical systems to protect users and state institutions. So, it’s no small affair when a government entity takes legal action against these watchdogs.
In a strange turn of events following a significant ransomware attack on the city of Columbus, Ohio, a judge has issued a temporary restraining order against cybersecurity researcher David Leroy Ross. The Dispatch notes that Ross allegedly published information regarding a security breach last month that he felt officials were trying to sweep under the rug.
The July 18 attack was attributed to the ransomware group Rhysida. It resulted in the theft of 6.5 terabytes of sensitive data hosted on Columbus city servers. Rhysida attempted to auction the information for $1.7 million in Bitcoin. However, failing to find a buyer, the group released approximately 45 percent of the data on the dark web.
Columbus Mayor Andrew Ginther initially assured the public that the stolen data was either encrypted or corrupted, rendering it unusable. However, under the alias Connor Goodwolf, Ross challenged these claims by presenting evidence to local media that the data was intact and contained “highly sensitive” information. This data included personal details of city employees and residents, sensitive information from domestic violence cases, and the Social Security numbers of police officers and crime victims.
In response to Ross’s disclosures, the city of Columbus filed a lawsuit against him, alleging criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit argues that by downloading and disseminating the data, Ross interacted with criminal elements on the dark web, requiring specialized expertise and tools. The city also contends that his actions made the data more publicly accessible, posing a significant risk to public safety.
“The dark web-posted data is not readily available for public consumption,” city attorneys claimed. “[The] defendant is making it so.”
A Franklin County judge issued the restraining order this week, prohibiting Ross from accessing, downloading, or disseminating any of the stolen data. The decision was made “ex parte,” meaning it was issued without notifying Ross or allowing him to present his case.
Ars Technica notes that City Attorney Zach Klein defended the legal action, stating that the lawsuit was necessary to prevent the dissemination of stolen criminal investigatory records and to protect public safety.
“This is not about freedom of speech or whistleblowing,” he said. “This is about the downloading and disclosure of stolen criminal investigatory records.”
Unsurprisingly, the restraining order has sparked controversy. Ross accused the city of attempting to scapegoat him for its security failures. He has indicated plans to seek legal recourse, potentially involving the American Civil Liberties Union. Meanwhile, the city faces additional legal challenges, as civil attorneys have filed at least two lawsuits seeking class-action status over the city’s failure to protect personal information.