Skip to main content
City of Columbus flag

NOT an official website of the City of Columbus

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.
This website does not have a .gov domain name.

Dot gov

This website says it's unofficial
Sometimes fake websites claim to be official websites. Fake websites often try to make you think they're official.
This website does not claim to be official.

Your personal information may have been copied if:

  • you are a juvenile or adult victim of a crime1 or fire2
  • you are an overt or undercover police officer1
  • you are a confidential police informant1
  • you ever filed a report with Columbus Police3
  • your driver’s license or state ID was ever scanned at a City facility1
  • you are an employee of the City of Columbus1 you have provided the City with your Social Security Number1

This list is based on press reports, filings in lawsuits concerning the hack, and City of Columbus communications.

My data may have been stolen. What can I do?

The City of Columbus offers two years of free credit reporting via Experian to adults and minors with Social Security Numbers,4 and to sole-proprietor businesses operating under an SSN instead of an EIN.5

Enroll at Columbus.gov/cyber

You must enroll by November 29, 2024 to take advantage of this free offer.

The City says that other ways you can protect yourself include:4

  • Change your passwords.
  • Monitor your bank accounts and credit cards for unusual activity.
  • Request a free credit report at annualcreditreport.com or 1-877-322-8228.5
  • Never give out personal information over the phone, email or by text.
  • Do not reply to emails asking for money, and do not click on links you don’t recognize.
  • Do not reply to text messages asking for money, and do not click on links you don’t recognize.
  • If you receive a weird email or text message from someone, contact them via another means such as calling them.
  • Report incidents of suspected identity theft to your local law enforcement.6
  • Report incidents of suspected identity theft to the Federal Trade Commission (the “FTC”). To file a complaint with the FTC, go to IdentityTheft.gov or call 1-877-ID-THEFT (1 (877) 438-4338). Complaints filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, which is a database made available to law enforcement agencies. Information on how to contact your state attorney general can be found in Appendix A to this letter.6
  • Report incidents of suspected identity theft to your state attorney general. Ohio Residents can use this form.6
  • Read the FTC’s guides to protecting yourself from identity theft.6

How can I check if my data was included in the leak?

The City of Columbus sent notices on October 7 to approximately 500,000 people whose data was included in the leak.6

Whether or not your data was included in the leak, you can still sign up for the two years of free credit monitoring.

Enroll at Columbus.gov/cyber

The hacking group which copied the data, Rhysida, says that they stole approximately 6.5 terabytes of data, of which they have released about 45 percent (3 terabytes) on their dark web site. Rhysida’s website is accessible to anyone with a TOR web browser.7

“It doesn’t take any sophistication or vast technical knowledge to access that,” [Electronic Frontier Foundation Free Speech and Transparency Litigation Director Aaron Mackey] said. “You can actually use a Google search to download a browser called Tor, which stands for ‘the onion router,’ and it allows you to actually access a lot of this material online. So it’s as sophisticated as downloading an app on your phone.” 8

As a side note, 3 terabytes is more data than the typical computer or phone has space to store.

What was stolen?

Based on press reports, court documents, news comments, and City staff comments, the following data was stolen:

  • backups of City employee computers including folders, documents, downloads, and favorites,9 their computer’s Windows registry9, and other files saved on their computers3
  • backups of City databases9,10
  • personal information of City employees and former employees5 which “likely contains payroll data” 10, including names, addresses, phone numbers, bank routing numbers and account information of City employees10, and the names, addresses, and phone numbers of City employee emergency contacts2
  • “Attendance Enterprise” data including paid time, vacation time, and badge numbers for 2,837 city employees2
  • data “related to watershed, AEP, and the utility companies”10
  • data from the City’s MATRIX Prosecutor and MatrixCrime databases, including “confidential records for cases of rape, homicide, child abuse and domestic violence,” as far back as 2014, with details including the scene of the crime, weapons used, evidence, victim injuries, victim statements, victim Social Security Numbers, victim addresses, victim phone numbers, and reports made by officers3 11 5
  • any report made by a resident to CPD3
  • identifying details of the Columbus Police Department’s undercover officers3
  • Columbus Division of Fire’s “Firehouse” database, including the SSNs of citizens involved in fire department investigations, and victims’ names, addresses, and Vehicle Identification Numbers, from 2014 to 20232
  • lists of visitors to City Hall11 5
  • lists of individuals allegedly banned from City buildings11

Approximately 500,000 people’s data was stolen, and may include their first and last name, date of birth, bank account information, driver’s license(s), Social Security Number, and/or other identifying information concerning their relations with the City of Columbus.6

Was any data not stolen?

Columbus’ parking management provider ParkMobile confirmed that they do not share customer data “directly” with the City, and have received no reports of data loss connected to this hack.12

What next?

The City of Columbus said on September 26 that it expects to be fully recovered by “the end of October”.13

The City of Columbus said on October 17 that it typically takes around 150 days to recover from a cyber-attack.14 The breach occurred on July 18, 2024,13 so 150 days later would be around December 2024.

Help contribute to this site

This is not an official Columbus government website.

If you’re aware of a fact that isn’t listed here, and that hasn’t been reported in the press or in court, please contact local law enforcement and/or the press.

If you’re aware of a fact that has been reported in the press, or has been reported in court, send that publicly-posted link to Ben Keith via the usual methods. He has zero desire to receive the data itself, or to receive your personal original research into the data. Send that to the press.

Sources

  1. Columbus City Council briefed on data breach: Here’s what we learnedThe Columbus Dispatch Published 6:09 a.m. ET Sept. 10, 2024. Updated: 11:10 a.m. ET Sept. 10, 2024. Archive.org copy. “And details provided by Ross — that the hacked data contained the identities of juvenile victims, undercover police officers, confidential police informants, driver licenses, employee information, Social Security numbers and more — is just ‘some,’ but not all of what got stolen. The city is still evaluating the extent of the damage, Orth said.”  2 3 4 5 6

  2. Gut-wrenching:’ More victims found in Columbus data leak” NBC4i. Posted Aug 19, 2024, 05:09 PM EDT. Updated Aug 19, 2024, 05:24 PM EDT. Archive.org copy. “One of those databases, called “Attendance Enterprise,” tracked paid time, vacation and badge numbers for 2,837 city workers. Goodwolf showed the records also contained employees’ Social Security numbers, as well as the names, addresses and phone numbers for emergency contacts. This is yet another set of data that’s exploitable, according to Goodwolf.”
    “Goodwolf also found a database called “Firehouse,” which contained Social Security numbers for citizens involved in Columbus Division of Fire investigations. It also held sensitive details in notes from hazmat and arson investigations, as well as victims’ names, addresses and vehicle identification numbers. The records stretched from 2014 to 2023, and included deceased victims.”  2 3 4

  3. Chief disturbed after database naming undercover Columbus officers found in leak ” NBC4i. Posted: Aug 28, 2024, 05:44 PM EDT. Updated: Aug 28, 2024, 10:56 PM EDT. Archive.org copy. “”  2 3 4 5

  4. Experian Partner Toolkit” provided to Area Commissioners. The information here is mostly reproduced on specific pages linked to from Columbus.gov/cyber 2

  5. Columbus City Council meeting, September 9, 2024. Relevant time stamps are 0:39:30 to 1:23:30 2 3 4 5

  6. Sample breach notification letter, filed by Columbus with Maine’s Office of the Attorney General. This letter was found via Bleeping Computer 2 3 4 5 6

  7. City of Columbus sues man after he discloses severity of ransomware attackArs Technica Published 4:00 p.m. ET August 8, 2024. Archive.org copy. “[…] the city of Columbus fell victim to a ransomware attack on July 18 that siphoned 6.5 terabytes of the city’s data. A ransomware group known as Rhysida took credit for the attack and offered to auction off the data with a starting bid of about $1.7 million in bitcoin. On August 8, after the auction failed to find a bidder, Rhysida released what it said was about 45 percent of the stolen data on the group’s dark web site, which is accessible to anyone with a TOR browser.” 

  8. Columbus whistleblower lawsuit violates First Amendment, digital rights group says ”, NBC4i. Posted Aug 30, 2024, 06:00 PM EDT. Updated Sep 3, 2024, 04:38 PM EDT. Archive.org copy

  9. Comment on the above Ars Technica article by Cédric J.1: “I just downloaded the TOR Browser, googled the Rhysida Onion address, browsed their Website to the Columbus Dump and now I have under my eyes a ton of Windows User’s profiles with all their folders (documents, desktop, downloads, favorites, etc.), user’s registry (NTUSER.DAT) and Gigabytes of databases backups.”  2 3

  10. “Ohio State professor explains what’s been posted on the dark web after Columbus ransomware attack” NBC4i. Published: 6:00 PM EDT August 8, 2024. Updated: 6:00 PM EDT August 8, 2024. Archive.org copy 2 3 4

  11. Motion for ex parte temporary restraining order, filed August 29, 2024. Case 24 CV 006703 in the Court of Common Please, Franklin County, Ohio, Civil Division. “Among the data stolen from the City and presumably posted to the dark web are the two backup prosecutor and crime databases. These databases contain large amounts of data gathered by the City prosecutors and the Columbus Division of Police pertaining to misdemeanor crimes prosecuted by the City’s Attorney’s office dating back to at least 2015. his data would potentially include sensitive personal information of police officers, as well as the reports submitted by arresting and undercover officers involved in the apprehension of persons charged criminally by the City prosecutor’s office. These databases also contain the personal information of crime victims of all ages, including minors, and witnesses to the crimes the City prosecuted from at least 2015 to the present.” Internal citations omitted. “[…] visitors to City Hall, victims of domestic violence and other misdemeanor offenses, and lists of individuals allegedly compiled to prevent their access to City buildings, just to name a few.”  2 3

  12. Columbus parking app gives answer on whether data leak impacts its users ” NBC4i. Posted Aug 26, 2024, 06:22 PM EDT. Updated Aug 26, 2024, 06:22 PM EDT. Archive.org copy. “For clarity, ParkMobile powers digital parking payments in Columbus via the ParkColumbus white label mobile app and website. A white label allows cities the option to display a customized branded experience through ParkMobile,” a spokesperson wrote. “To note, no customer data from a parking transaction is shared directly with the city. We also have no information suggesting that ParkMobile customer data is involved in the cyberattack on the city of Columbus.” 

  13. Cybersecurity Update, 26 September 2024, from Mayor Ginther: “Work is well underway to fortify and fully restore the systems that were impacted by the cyber-attack we discovered on July 18.” … “To date, 70% of the city’s systems have been fully restored, while another 7% have been partially restored. Our goal is to achieve full restoration of all systems by the end of October.”  2

  14. Cybersecurity Update October 17, 2024, from Mayor Ginther: “I am pleased to report that we are making steady progress toward full restoration and, as I shared last week, all of our most critical IT systems have already been restored. To help illustrate the speed and scale of our progress, most organizations typically recover from a cyber-attack within 150 days.”