Exposed Employee PII in Ransomware Attack Spurs Class Action Lawsuit for City of Columbus

The law firm Cooper Elliott filed a class-action lawsuit against the City of Columbus following a ransomware attack that compromised the personal information of city employees.  

‍

Spencer Meador, a representative from the firm, stated that the lack of communication from the city has exacerbated the situation, leaving many employees frustrated and in the dark, ABC6 reports.

‍

The lawsuit was filed on August 9 on behalf of two Columbus police officers, with a request to include all current and former employees.

‍

The international ransomware group Rhysida claims responsibility for the attack, asserting that they stole 6.5 TB of data, including passwords, log-ins, and access to city cameras.  

‍

They have threatened to release this information unless a ransom of nearly $2 million is paid. The lawsuit accuses the city of recklessly failing to protect employee data and delaying notification of the breach.

‍

One of the officers involved in the lawsuit is an undercover officer who fears for his safety if his identity is exposed. The Fraternal Order of Police has also advised its members to seek outside legal counsel.  

‍

While the city has offered credit monitoring and identity theft services, Meador emphasized that these measures cannot undo the damage already done. The Mayor’s Office and City Attorney’s Office have declined to comment on the lawsuit, citing pending legal action.

‍

Takeaway: About 80% of ransomware attacks involve double extortion in which sensitive data is exfiltrated prior to delivery of the ransomware payload and used as added leverage to compel payment of a ransom demand.  

‍

Ransomware attacks now frequently center on data exfiltration, with some groups entirely abandoning the encryption aspect to focus exclusively on stealing data and extorting victims.  

‍

The exfiltration of sensitive data not only complicates recovery efforts following a ransomware attack but also heightens the risk of facing severe legal and regulatory consequences.

‍

This shift has transformed ransomware attacks into a critical legal and regulatory issue. Depending on the industry and jurisdiction, data protection laws may require prompt breach reporting, with strict penalties for non-compliance.

‍

In the past two years, there has been a significant rise in class action lawsuits related to ransomware attacks that involve data exfiltration. This surge in legal challenges is exerting considerable pressure on organizations, C-suite executives, and Boards of Directors.

‍

Even organizations with strong response and recovery plans are not immune to these risks, as the theft or exposure of sensitive data substantially increases their liability.  

‍

It’s crucial for organizations to recognize that the risks associated with ransomware attacks extend far beyond immediate financial and operational disruptions, posing significant threats to sensitive data and intellectual property.

‍

The increasing trend among ransomware operators to threaten the public release or sale of stolen data if ransoms are not paid brings severe repercussions, including regulatory fines, legal liability, and long-term damage to an organization.

‍

The growing legal and regulatory scrutiny is increasingly holding leadership accountable, indicating a shift towards greater responsibility at the highest levels of any organization.

‍

The aftermath of major security incidents now often includes class action lawsuits, regulatory actions, and even potential criminal prosecutions for leadership, particularly when sensitive or regulated data is compromised.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.