City of Columbus Data Breach: A Wake-Up Call for Government Cybersecurity Failures

Introduction another day another data breach but we shouldn't be treating data breaches like a Laz Fair event that they just happen all the time and my data is already leaked out there we should be treating every single data breach as if we just had walked in on our parents doing the nasty the vertical Mumbo or the horizontal Mumbo depending on how you caught them in there's a lot of therapy involved with that story anyway we're going to be talking about a breach that in my opinion was worse than the national public data breach which had 2.9 billion records leaked and that was bad enough as it was as I've talked about that before where now for the first time people were able to search up a lot of different people I think the number has officially become about 250 260 million Americans Social Security numbers prior addresses known associates email addresses and everything in a publicly searchable database and this has never really been done before even when Equifax was breached before you know they had Social Security numbers and all that it was never really in a public fashion this became public well the city of Columbus in my opinion had an even worse breach and the handling of it is really bad and proves why we need to have a significant shift in how we approach cyber security and most of the issue comes down to the humans interacting with our systems every day we need to have constant training regimens because you will be shocked about how I as a cyber security engineer have been able to social engineer information out of a lot of our people every day and get them to click on things that they shouldn't as well as the engineers Behind These systems well more so the Architects cuz the engineers are just doing the bidding of The Architects um are not architecting the systems appropriately to secure their systems um so the city of Columbus Ohio had a breach and this breach was really bad it even leaked apparently information about confidential informance so this actually started beginning unfolding on July 18th we're So it begins going to read the timeline over here this is brought to you by um 10TV news uh there's also NBC 4 and a few others that have been covering this like ABC6 um but there are currently two different class action lawsuits against the city seeking information and asking the city to adopt sufficient security practices and safeguards to prevent incidents like data breaches this is how it reads from 10TV the city is now offering free credit monitoring for affected residents through Experian 2 years of credit monitoring ain't anything but more than a Band-Aid when it comes to these situations so here is the current timeline as 10TV outlines is that um the breach was first reported on July 22nd after Columbus mayor Andrew ginther's office released a statement saying the city's Department of Technology found an Evidence of an abnormality in its system on July 18th a little bit vague there buddy as a result the city severed internet connection to reduce the threat to the city's systems reasonable approach wish you had a little bit better mitigations we'll get to that a little later nearly 2 weeks after Ginther unplugged the city from the internet two officers with the Columbus Police Officers Bank Hacked Poli division of police came forward on July 31st saying their bank accounts were hacked police officers regardless of what your position may be on police that's still no bueno they're city employees doing their job this the two sources said an unspecified amount amount of money was taken from the accounts the mayor's office did not comment at the time but set it aware of the reports but this goes back again to where I had the video talking about you should not be using the same pth passwords you should be monitoring a lot of these different things you should have multiactor authentication that video can help protect against these kind of issues if your information does get leaked not saying this is on the officers I'm saying this could have been helped to be prevented but their information shouldn't have been out there in the first place and we'll get into the fact that I don't believe that social security numbers and a lot of this information that we have as archaic should be identifying factors and the United States needs to adopt better approaches federally to prevent our data from being used in the that it did ridia demands nearly 2 million in Ransom Declared, Employee Data Revealed ransom for 6.5 terabytes of stolen city data on August 1st a hacker group came forward with claiming responsibility for the attack and demanding nearly 2 million in ransom for the data the hacker group released screen captures of data to prove that they have the city sensitive data it shows security foot camera footage and dispatching information along with tables of employee data they claim to have so far at this point it appeared that Columbus Police employees information was the most at risk the people working for the government the government that's supposed to protect us we're having their people most affected many Columbus police officers closed out their current banking accounts and asked the city to pay them by paper check instead of direct deposit to secure their new accounts then on August 2nd ginther's office confirmed earlier that week that a foreign cyber threat actor attempt to disrupt the city's it infrastructure to deploy ransomware and solic a ransom payment from the city ridia posts 45% of the city's data on the dark web around August 7th after holding the city's data for ransom um they had threatened to release more if the city didn't pay the ransom by the following morning however ginther's office said there is no evidence the data has been published buddy buddy now of course don't pay ransoms but don't make claims like that that is basically challenge accepted ginther's office confirmed they are aware of the claims that data has been published and added the links are broken but would not comment any further against about possible uh negotiations First Lawsuit Filed the first class action lawsuit was filed on August 9th against the city of Columbus alleging that the city failed to protect highly sensitive data the lawsuit was later amended to include any Resident who was affected by the breach so this didn't affect just uh employees just you know affected residents confidential informants and a whole bunch of things this upends the trust and faith that people have in government if you have any that is to begin with mayor uh gther said majority of stolen data is totally unusable gther provided an update on the city's ongoing battle with the Cyber attack on August 13th saying the data stolen by hackers were either corrupted or encrypted meaning it was likely useless if your data was Why was data corrupted? corrupted what were your data management practices like were you actually checked your data and things like that that actually makes me have more questions about the the city's storage of data not just the um Secure Storage of it the labeling the um backups all that but are you actively checking the Integrity of your data according to a fact sheet published May have come from backups by the city Tuesday the data posted to the dark web by ransomware group Rea R however you pronounced that contain corrupted and encrypted information from City backup files so it looks like at this point it was from City backups which is something that a lot of companies and individuals as well as um Corp uh apparently government corporations yes they are a corporation Overlook is the security of your data backups now what intrigues me is um how were they backing it up what were these data centers like what were the policies with these data centers who were the stewards of the data who were the custodians and what were the policies and procedures these are a lot of things that we have to start asking the questions of not just of government but how we approach cyber security as a whole and a lot of these things are being covered actually in the exam that I'm taking for cissp soon so a cyber security expert uh revealed to the news uh what person inflammation was available in the dark web later that day um apparently this was on August 13th and uh cybercity Past 10 years of City Hall visitors effected expert Connor goodwolf which is a name he chose for the interview and is not his legal name said anyone who swiped their drivers like at City Hall in the last 10 years could be on the dark web you just visited city hall you came in for a class trip just to see how government works and you see how incompetent government is working to protect your data because the problem is Boomers man... a lot of the people that run the government and run these data practices H you know and and security practices they're Boomers they don't know how technology works the fact that I even have to fight with my own family about how they need to store their own data because things you know can go bump in the night even when I talk to them and I say do not put this information anywhere on a digital device and they go ahead and do it I I know uh people that actually store passwords in contact management systems you shouldn't be doing that not even a password protected Excel file get a password manager I digress 10 years he said the leak data City Prosecutors Office Effected also included anyone who has dealt with the Columbus City's attorney Prosecuting Office in any way including victims suspect specs or someone who was subpoenaed by the court of law or law enforcement so imagine all those people that are in highly sensitive cases right now that are having their lives already upended because they happen to be in some kind of a criminal Endeavor um that they're being protected from now have to upend their lives again because that information is now compromised because the government did not manage their data appropriately the mayor said that he Mayor Said he didn't lie didn't lie apparently uh when uh the 10TV apparently asked inther if he lied about the extent of knowledge of the information that had been leaked he gave a resounding no I shared the best information I had at the time based on reports and confirmation from cyber Security Experts obviously what we have learned since then is continuing on our investigation and what is possibly out there who has access to it he needs to get a better course in PR then City expands free credit monitoring Tired of Free Credit Monitoring Rant to residents on August 16th the city expanded the free credit monitoring to all residents impacted by the Cyber attack you know I'm tired of the answer of being you know what you got compromised free credit monitoring free credit monitoring bro we've been getting free credit monitoring offers since exper Equifax themselves got compromised and I'm sick and tired of it maybe the United States government should actually take some proactive measures to stop this kind of thing the Europe has gdpr that prevents this amount of data from being used in the way that it is we need to have more cautious and cognizant control around how we are managing all of the sensitive data instead of just saying saying well it's out there and stop being so La Fair like I said treat it like you know you just walked in and your parents doing the vertical or horizontal Mumbo depending on how your trauma played out in therapy there's a lot of story behind that um gther admits Confirmed Citizen Data Exposed for the first time that citizens information was exposed so this was almost uh what are we talking uh July 18th so a whole month later we figure out that citizens had their information exposed more than 2 weeks after the hacker group demanded a ransom Ginther confirmed that personally identified information was leaked on the dark web he also confirmed that data such as information on criminals victims of crimes and Witnesses from the city prosecutor's office was leaked gther added that more personal information may have been accessed and could be Second City Database Compromised published on the dark web now a second City database was hacked on August SEC uh 19th a second City database Jesus this included thousands of incident reports from the col Columbus Division of fire wow word and information from people who visited any of the four buildings since 2006 City Hall 77 North Front Street 111 North Front Street or the beacon building lovely and then of course we had a Second Class Action Lawsuit second class action lawsuit against the city representing both City police and firefighters the new lawsuits explain the financial impacts to just a few First Responders the lawsuit asked the fully the city to fully and accurately disclose the nature of the information that has been compromised and to adopt sufficient security practices and safeguards to prevent incidents like the data breach described here in the future that the information that we have so My Personal Thoughts far yeah I'm I'm bound to agree with the second lawsuit here uh not only that um it seems like to me they may have um if I'm not reading this wrong run a foul of Ohio's own breach disclosure laws not only that gther is really bad at PR bro really and 2 years of uh free credit monitoring what's that going to do oh yeah your account's been breached oh yeah something's been filed once again I've been recommending people I don't care if you've been breached or not freeze your credit freeze all three accounts of your credit get a password manager set up multiactor authentication for all of your accounts and start monitoring everything very very vigorously you should always I check my bank accounts at least once a day check to make sure there's nothing weird on there I think the worst that I've had in the past few years is I had an erroneous charge for Catholic singles.com which is hilarious if you know me because I went to the bank and they said how do we know this isn't you and I'm like well I'm Jewish and I'm kind of over my Catholic girl phase yeah bad joke I know I know but was a few years We need regular security Training ago there's a lot more that needs to be done in terms of cyber security Now the interesting thing is that apparently um I've been reading reports that this has also happened as a result of employees clicking on files this goes into the fact that we need to have better security training and it needs to be regular security training for all employees everywhere the amount of times that I deal with people that they are not up to speed on you know you shouldn't give information out as much you should um be very cautious of the people on the phone how what social engineering is and all that is just astounding and government is always behind in terms of the private sector when it comes to a lot of these things and this is no different so don't treat this is just oh another data We need to lobby Government breach my data data is already out there treat this like you just walked in on your parents doing the nasty have that reaction of oh God oh God no the horror and raise that tone also to your politicians maybe we can finally get some equivalencies to the gdpr maybe we can actually stop using Social Security numbers as an identification factor in this country Social Security numbers were never meant to actually be an identification Factor Why are we still using them as an identif ification factor I mean you have military people that were getting their stuff compromised for years because you look at their dog tags for years what happened their dog tags have their social security number the United States government and the state governments and the local governments have never taken security really that seriously but they want to honestly make arguments about how the FBI should have a back door into our cell phone these these mitigations and protections that apple and other companies have to encrypt our data and protect our data and the argument that they have is to stop criminals don't just stop criminals they stop uh yes they stop the government as well they've never taken Gov has never taken our Security seriously our security and privacy that seriously they continuously make arguments at the FBI at the national level about how they should have backdoor access to our iPhones and all of our devices and that encryption is allowing criminals to Prevail without realizing these same things protect everyday citizens from having their information disclosed so that we don't become victims to even greater crimes what is the greater crime that the United stes government is more worried about getting backdoor access to all of our stuff to possibly go after criminals or allow the entirety of the United States citizenry to be a Perpetual victim at the mercy of the rest of the world because our government wants to go after a few criminals now I'm not saying that we shouldn't go after criminals what I'm saying is that we are talking about a very small minority of the United States population that happens to be criminals and we want to allow the United States to be victimized continuously because law enforcement has to do their job you have to innovate better you have to do surveillance and stuff better to catch these criminals and that shouldn't come Device backdoors don't make us safe at the price of the average United States citizens privacy and security when it comes to their financial or otherwise because you want to have an easy route no you will not get a back door to my device you will will not allow uh encryption standards like fips 185 to ever come again with escro key communication if you don't know what that is go look that up in the 1990s when Hillary Clinton and other people wanted to have escro key Communications that any encrypted device was then given an escro key so that you could have immediate backdoor access by the United States government or other covered entities just so that we could have a repeat of what happened with the NSA getting into access to private Communications and basically just jerking off the material of what people were considering private not a joke this was an actual thing that happened and this is unfortunately what happens a lot of times when we have unfettered access with secret courts and things like that that happen we need to We should be protecting Citizens have the United States citizens protected properly not seen as collateral damage in the course of an investigation because we could have protected the United States citizen better but we want to track some criminals down I get it there's always going to be bad guys yes we should go after them we should go after all kind kinds of criminals Financial whether they're going after children whether they you know any kind murder whatever I don't care you name it but that should not come at the expense of my safety your safety your children's safety or anyone else so that we can't have a private conversation without the risk of that information getting leaked out I mean now you have kids going basically to City Hall with their parents going to see how government works and realizing government works by screwing you over by allowing your data to get released because they hav competent data practices and they don't take your data seriously why is it the city of Columbus in Ohio didn't have proper data security in uh place and meas uh uh data security in place why were these measures not taken appropriately beforehand why is there probably not a good amount of cyber security training at every single level like I have come to expect when I work at different companies that's that's my two cents this in my opinion is a little bit worse than the national public data breach which is already one of the worst data breaches that we've had because that information is public and then you know stalkers can now have access to do worse things and Closing/We need policy change everything but I digress start treating data breaches like you just walked in on your parents doing the nasty and start telling our politicians that we need changes to how we handle our data Nationwide how we can better protect our data as well as we need to make changes to the Social Security system to stop being use as an identification system that is first and foremost well a bunch of these things are not first and for they're they're all equally important we need gdpr equivalencies we need to stop using Social Security numbers as an identification we need to have more safe and secure methods to protect our privacy and our information because this is affecting police this is affecting firefighters this is affecting uh confidential informants victims this is affecting everyone residents of the city who's to say one day taxes won't be breached although if they do could you just like make it so that we don't have to pay taxes cuz at this point if we're dealing with with an incompetent government that doesn't even fix potholes what's the point in paying taxes not saying we shouldn't pay taxes I'm saying what's the point in paying taxes then me get let me get that clear out there but also one day maybe maybe they'll get into our student loans and they'll just wipe it clean please and thank you not advocating for that just saying that' be a really nice thing to wake up and not have student loans for a bunch of people cuz I know that's basically crushing a bunch of us because the United States again doesn't care about the United States citizenry and our well-being in our future just to see how we can extract more money out of us and if you don't believe that all these data Brokers why do they exist because they're buying and selling data and they got lobbyist themselves to go to the government to say no no no we need to be allowed to buy and sell your data no you shouldn't you should be protecting me you the United States government you're there to protect and serve me not the corporation that wants to make a buck off me thank you all for watching my video My Little rant today and please like And subscribe if you want want to see some more as well check out all my social media down below and be safe out there the internet can be a scary place you're going to need this yub key see y'all later stay safe