'Devastating:' Stolen Columbus data leaked by ransomware group after auction gets no bids

View a previous report in the video player above.

COLUMBUS, Ohio (WCMH) -- Over three terabytes of stolen data, including Columbus employees' personal files, were dumped on the dark web Thursday morning, after two auctions by the hackers that attacked the city failed to attract bids.

The Rhysida ransomware group began leaking the data after an extended auction ended at 5:35 a.m., according to Ohio State assistant professor Carter Yagemann, CMIT Solutions' Daniel Maldet and other cybersecurity experts who have watched the group's onion site on the dark web. While the full 6.5 terabytes that the hackers claimed to have has yet to be uploaded, the portion that has made it online includes backups and files from dozens of city employees' desktop computers, as well as SQL backup files for entire databases.

The massive size of the 258,270 files released means it's not readily apparent what they contain. But NBC4 reviewed a list of employees' names found within the data, confirming Rhysida's leak not only included current workers, but also at least one contractor and one former employee who left in 2021.

Maldet told NBC4 that it's possible the other portion of data that wasn't uploaded did find a buyer, but there is no way to verify that. Still, cybersecurity expert Shawn Waldman provided context on the gravity of the situation.

"This is really devastating because it appears that some of the personally identifiable information is already out and available," Waldman said. "Combine that with the fact that the City of Columbus has just now started rolling out credit monitoring, that may mean that the credit monitoring process may be completely ineffective due to the information being leaked before it became effective."

Rhysida wanted 30 bitcoin -- or around $1.7 million -- as the starting bid for the auction. The hackers previously advertised they stole employees' internal logins and passwords, Social Security numbers, and access to city video cameras as well. They had previously started to leak the data Wednesday morning after the original auction ended, but never made a working link available and instead reopened bidding. Maldet shared insight with NBC4 on why Rhysida may have changed course.

 “Even though it didn’t sell up until this point, we don’t know what kind of offers it may have gotten," Maldet said. "So, I’m guessing that they do have some valuable data there and they feel that it’s worth selling versus releasing.”

NBC4 reached out to multiple city officials who each pointed back to Columbus Mayor Andrew Ginther's office. A spokesperson said he would make time for an interview once they had “their arms wrapped around the situation.” The city has repeatedly told NBC4 it is limited on what it can share, citing an active investigation involving the FBI and the U.S. Department of Homeland Security.

Ginther has never named Rhysida or another hacking group as the suspect, only referring to them as "an established and sophisticated threat actor operating overseas." The mayor previously told NBC4 that the city's IT staff first detected the cyberattack on July 18. While they were able to stop Rhysida from encrypting the city's systems and locking employees out, he admitted data may have been taken.

“For non-IT people, folks at home, the best way to describe this would be robbers were in our house,” Ginther said. “They tried to lock us out from our own house, but we stopped them. They took some valuables, data, and we’re in the process of determining the extent, and their value, data, before we notify their owners.”

Waldman said that the leak after a restarted auction was an apparent sign that "negotiations either are not going well, or there are no negotiations."

"I would honestly expect to see the rest of the data leaked in the near future," Waldman said. "If the city doesn't continue some type of negotiation or communication with a threat actor, I think you'll see the entire data set made available."