Columbus Stops Cyber Researcher from Flagging Stolen Police Data
When hackers hit the city of Columbus, Ohio, leaking data and knocking out 911 services, Mayor Andrew Ginther downplayed the impact of the incident, saying the stolen information that surfaced on the dark web was useless to fraudsters because it was encrypted or corrupted.
That wasn’t exactly true, according to a cyber researcher who goes by the name Connor Goodwolf. Goodwolf alerted local TV stations about how easy it was to find unencrypted data about many Ohio residents in the haul. That data included people whose names appeared in confidential investigative files from law enforcement, he told local news outlets.
It was all part of an effort, the researcher said, to raise awareness about the compromise of residents’ personal information. The hack was 100% preventable, if not for weaknesses in the city system, he told local reporters.
After some embarrassing stories, Columbus’ city attorney went to court to try to stop the spread of the stolen information. The city just won a restraining order against Goodwolf, preventing him from accessing, downloading or disseminating the hacked data that was available online.
Accessing stolen data on the dark web is common practice for security pros, who scour forums and marketplaces to alert hacking victims that they’re information is online. Journalists, law enforcement officials and academics also use the same resources.
The novel legal case against Goodwolf, who is listed in city complaint as David Leroy Ross Jr., highlights the kinds of legal threats that can haunt security specialists as they flag vulnerabilities that put people’s personal data at risk.
City officials have portrayed Goodwolf as someone exposing private police data, while local columnists described him as a whistleblower. The Columbus city attorney's office didn't immediately provide a comment when reached by Bloomberg News. Goodwolf didn’t respond to a request for comment.
Governments and corporations have long turned to courts to try stopping security experts from exposing damaging information about them. In one notorious 2021 case, police in Iowa arrested two cybersecurity employees who were testing courthouse security.
Attempts to stifle information by threatening cyber personnel could create a chilling effect resulting in fewer proactive reports about security problems, experts said.
If the good guys can’t report problems first, the bad guys might have more opportunities to exploit vulnerabilities, according to academics who have studied the issue.
“I think it’s always a mistake to try to mitigate the impacts of data breaches by going after people who are trying to inform the public about what data has been stolen and the potential risks to them,” said Josephine Wolff, a professor of cybersecurity policy at Tufts University.
The group that hacked the Columbus network, the Rhysida ransomware gang, specializes in “double extortion” attacks, where it encrypts victim networks and holds it for ransom while also threatening to leak stolen data if it’s not paid a fee.
Such attacks can be particularly painful for victims as they involve both a severe disruption to their computer networks and services and the long-tail fallout of having a huge amount of confidential files floating around the internet.
The US Federal Trade Commission settled with Verkada for $2.95 million after hackers breached the camera company to access live feeds and archived videos of customers including Tesla Inc. and psychiatric hospitals.
Attackers in 2021 said they breached surveillance footage collected by Verkada, gathering video from hospitals, police departments, prisons, schools and a range of companies. In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed.
Hackers said they breached the cameras to show the pervasiveness of surveillance and demonstrate the ease with which the systems could be broken into.
The monetary payment is in part related to allegations that Verkada violated an anti-spam measure by overwhelming potential customers with email advertisements. The FTC complaint also alleged that Verkada failed to fix known security vulnerabilities.
“We do not agree with the FTC’s allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way,” the company said in a statement. — Jeff Stone
North Korean hackers are impersonating job recruiters to try to keep stealing cryptocurrency, the FBI said in a statement Tuesday.
Attackers have been contacting employees at crypto firms and in the decentralized finance industry, engaging them in long conversations and then deploying malware to steal victims’ virtual currency, according to the advisory. They may go so far as to reference a victim’s personal details in order to try to establish trust, an indication the scammers scoured social media to gather clues on their potential targets.
North Koreans also tend to offer unrealistically high compensation as part of their apparent recruiting.
The goal is for hackers to steal as much cryptocurrency as possible. North Korea for years has conducted digital heists in order to try raising money in the face of international sanctions, according to US officials.
Thieves associated with the country are suspected in a $234 million heist that affected a service called the WazirX exchange in July. North Korean hackers also exploited a vulnerability in Google Chrome, since fixed, to try stealing digital funds, Microsoft Corp. said last week. And they’ve pushed apps marketed toward crypto investors that wind up stealing users’ investments, cyber experts found. — Jamie Tarabay
No judgment here.
Got a News Tip?You can reach Jeff Stone at [email protected]. Jordan Robertson is at [email protected], and you can email Jake Bleiberg at [email protected]. You can also send us files safely and anonymously using our SecureDrop.
Get Tech Daily and more Bloomberg Tech weeklies in your inbox: