Judge grants restraining order against cybersecurity expert
A Franklin County judge issued a restraining order against Connor Goodwolf for disclosing details of a Columbus cyberattack, which the city claims threatens public safety and ongoing investigations.
Read original article
A Franklin County judge has issued a temporary restraining order against cybersecurity expert Connor Goodwolf, who disclosed details about a cyberattack on the city of Columbus. The city first detected the breach on July 18, leading to a severance of its internet connection. The hacker group Rhysida claimed responsibility, stating they had stolen 6.5 terabytes of data, of which they released 45%. Goodwolf has publicly shared information about the data on the dark web, including sensitive police records. The city argues that Goodwolf's actions have caused "irreparable harm" and threaten public safety, particularly for victims and witnesses involved in ongoing investigations. The city is seeking at least $25,000 in damages and has filed claims for invasion of privacy, negligence, and civil conversion. City Attorney Zach Klein emphasized that the restraining order is not about suppressing Goodwolf's speech but about preventing the dissemination of sensitive information. A pretrial conference is scheduled for September 18, 2025. Goodwolf has declined to comment on the matter.
- A judge granted a restraining order against cybersecurity expert Connor Goodwolf for revealing details of a city cyberattack.
- The city of Columbus claims Goodwolf's actions threaten public safety and ongoing criminal investigations.
- The hacker group Rhysida claimed responsibility for the cyberattack, stealing 6.5 terabytes of data.
- The city is seeking at least $25,000 in damages and has filed multiple claims against Goodwolf.
- A pretrial conference is set for September 18, 2025.
Related
2.9B hit in one of largest data breaches; full names and SSNs exposed
A data breach has exposed personal information of 2.9 billion individuals, linked to National Public Data and hackers. A lawsuit seeks compensation and secure disposal of the stolen data.
Background check company breached, nearly 3B exposed in data theft
A data breach at National Public Data affected nearly 3 billion individuals, exposing sensitive information. The hacker group USDoD demanded $3.5 million for the compromised database, raising privacy concerns.
My post-mortem on the CrowdStrike incident
On July 19, 2024, CrowdStrike's software update caused system crashes on Windows devices, leading to $10 billion in losses and operational disruptions, prompting a reevaluation of cybersecurity practices and potential legal issues.
Hackers leak 2.7B data records with Social Security numbers
Hackers leaked about 2.7 billion records of personal information from National Public Data, prompting class action lawsuits and warnings for individuals to monitor credit reports and avoid phishing attempts.
Ransomware attack closed L.A. courts for days. Public deserves a full accounting
In July 2024, a ransomware attack forced the Los Angeles Superior Court to close for two days, disrupting critical functions and prompting an ongoing criminal investigation into the incident.
- Many commenters express sympathy for Goodwolf, arguing that he was trying to raise awareness about the city's security failures.
- There is a consensus that the city's response, including the lawsuit, is seen as an attempt to suppress legitimate criticism and protect its reputation.
- Several users highlight the importance of responsible disclosure and the potential dangers of sharing sensitive data.
- Comments suggest that the city's claims about the data being encrypted or corrupted were misleading.
- Some users advocate for legal support from organizations like the EFF or ACLU to challenge the restraining order.
18 commentsThe city seems upset that he shared data about ongoing investigations and undercover police reports. Depending on what exactly he shared, it’s hard to fault the city for that. It doesn’t really matter where the data currently exists; grabbing it and handing it off to others is obviously not a good idea.
If his goal was to prove to the reporters that such data existed and was available for download, he had many options that didn’t require accessing the data: screenshot the forum posts, send links to the reporters, detail what kind of data was there without actually showing any of it, and so on.
Now, if that’s what he did, and the city is still reacting this way, that’s obviously abuse. But it doesn’t seem unreasonable to order someone to stop disseminating data about ongoing investigations to reporters. Would you want your private cases to be more widely spread?
I’m really sympathetic to him, because this is an easy mistake to make. Before I got into the industry, I thought that this was white hat hacking; it’s obviously good that he’s spreading awareness about the breach. But how you do it really matters.
(Caveat: I worked in the industry for about a year in 2016, so maybe things have changed. But I’d be shocked if distributing actual data from any breach was condoned by anyone who works as a pentester, even today.)
> the city says Goodwolf is threatening to publicly share the city's stolen data in the form of a website that he will create himself. Goodwolf previously told 10TV he does plan to set up a website, but it would only allow people to see if their name was part of the data breach.
This isn’t the same as setting up a site to see if your password was compromised. It could let anyone type in someone’s name and see whether they’re a witness in a criminal investigation.
No, this is about how you lied to your public about the nature and format of the data that you failed to protect
> On Aug. 13, Mayor Andrew Ginther said the data stolen by hackers was either corrupted or encrypted, meaning it was likely useless. Hours later, Goodwolf told 10TV that wasn't true and he showed what kind of personal information he was able to access.
lol - the entire city leadership needs to be recalled. They get caught with their pants down (no security), lie to the public (“it’s encrypted bro!1! trust me I’m a politician!!), lies get rightfully called out, and their response is to pour gas on the fire with this silly lawsuit funded by the local tax payers.
Suing security researchers for investigating the contents of disclosed information is ineffective at protecting anyone.
https://arstechnica.com/security/2024/08/city-of-columbus-su...
Public website hosting hacked records: not sued
Lying public servant: not sued
Joe Schmoe for pointing out all three: sued
Lol, unless the article is reporting something off, features like Chrome or Firefox reporting one of your passwords may have been compromised would be illegal.
The reality is that this city is wrong.
Then just be like, yeah, there's like 3 TB of data there, maybe it's class-action worthy, hint, hint.
Might there be any lawyers with opinions (& disclaimers, obviously) in the house?
the internet is not google, no amount of sand over the head or in the eyes will change that.
Columbus officials chose to invalidate threat to public safety by way of misinformation, then retaliate when the threat and true situation was revealed.
keeping people ignorant of threatscape is not good government.
thinking the 'darkweb' is some sort of containment by obscurity, is beyond naive.
the city of columbus is actually inhibiting a proper response and perpetuating a cavalier security stance.
this is not going unnoticed.
[1] [This is a bigger issue here': Columbus resident wishes the city told residents about the data breach sooner]
https://www.10tv.com/article/news/local/columbus-woman-wishe...
[2] Second class-action lawsuit, representing police and firefighters, filed against city after cyberattack
https://www.10tv.com/article/news/local/second-class-action-...
[3] Ginther confirms personal information of Columbus residents exposed in cyberattack
https://www.10tv.com/article/news/local/ginther-press-confer...
Related
2.9B hit in one of largest data breaches; full names and SSNs exposed
A data breach has exposed personal information of 2.9 billion individuals, linked to National Public Data and hackers. A lawsuit seeks compensation and secure disposal of the stolen data.
Background check company breached, nearly 3B exposed in data theft
A data breach at National Public Data affected nearly 3 billion individuals, exposing sensitive information. The hacker group USDoD demanded $3.5 million for the compromised database, raising privacy concerns.
My post-mortem on the CrowdStrike incident
On July 19, 2024, CrowdStrike's software update caused system crashes on Windows devices, leading to $10 billion in losses and operational disruptions, prompting a reevaluation of cybersecurity practices and potential legal issues.
Hackers leak 2.7B data records with Social Security numbers
Hackers leaked about 2.7 billion records of personal information from National Public Data, prompting class action lawsuits and warnings for individuals to monitor credit reports and avoid phishing attempts.
Ransomware attack closed L.A. courts for days. Public deserves a full accounting
In July 2024, a ransomware attack forced the Los Angeles Superior Court to close for two days, disrupting critical functions and prompting an ongoing criminal investigation into the incident.