COLUMBUS, Ohio (WCMH) — Hours after Mayor Andrew Ginther assured Columbus citizens that data stolen from the city was encrypted or corrupted, NBC4 was shown just the “tip of the iceberg” of what had been taken, and it painted a drastically different picture.

Among the details laid bare were names from domestic violence cases, and Social Security numbers for police officers and crime victims alike. The dump not only impacts city employees, but also revealed personal information for residents and visitors going back years. Anyone who entered Columbus City Hall within the past two decades may be affected.

While NBC4 has previously viewed the play-by-play of Rhysida’s auctions and subsequent leak on the dark web, cybersecurity expert Connor Goodwolf shared the first glimpse into the downloaded contents Tuesday afternoon. He noted this was only a sample of the data totaling 3.1 terabytes, but he was already able to find server records from City Attorney Zach Klein’s office, as well as the ID scanning system used to enter Columbus City Hall.

NBC4 Anchor Colleen Marshall’s personal information appears in a search of Rhysida’s leak of stolen Columbus data. (NBC4 Photo/Mark Feuerborn)

The leaked scanner’s database includes a searchable list of driver’s license numbers, home addresses and full names of anyone who may have visited the building for functions like a city council meeting. Goodwolf showed this database contained 470,923 entries, though some could be duplicates. NBC4’s own employees were included, and they confirmed their captured personal information was accurate.

“All this stuff is not public information, driver’s license information is private,” Goodwolf said. “You can do extreme damage to one’s career, to one’s bank accounts, sign up for Cash App, maybe terminate their utilities when you have information like this.”

Goodwolf also confirmed that the databases he found included one from Klein’s office, as well as one from the Columbus Division of Police. He showed NBC4 the city attorney’s records, where the Social Security numbers and identities of domestic crime victims, suspects and subpoenaed officers all were visible, stemming from cases for 215,372 defendants. The leaked information falls in line with what Columbus police have alleged in a class-action lawsuit against the city, in addition to an undercover officer’s cover being blown.

Goodwolf started investigating the contents when he learned his own information was compromised in the leak, and said it took him 12 hours to download the portion of the leak he has. He hasn’t combed through all the information as of Tuesday evening, but did confirm some of what Rhysida offered on the dark web included city employee payroll databases. The files are encrypted, but he noted the leak’s files could include the encryption keys somewhere.

The servers’ data is also in a readily accessible format, as Goodwolf said the files are tied to common business software.

“This is Microsoft SQL Server. So anyone can download this,” Goodwolf said. “There’s been multiple versions throughout the years. Some of those databases can only be restored on very specific versions from like 2012. This one’s asking about 2022 and some of the databases can be restored to that one. Each version has its own backup format.”

Taking questions from reporters Tuesday morning, Ginther said he stood by previous comments that the leak lacked “value to those who would seek to do harm or profit from it.” He claimed the data was “encrypted or corrupted,” meaning it wasn’t usable to anyone that downloaded it. He did mention that the city was extending its free, precautionary credit monitoring services for current employees to also including former workers, but declined to comment on the pending class-action lawsuit where they could all become claimants.

With the scope of the leak now extended to the general public, cybersecurity expert Shawn Waldman said residents need to take action.

“I generally tell people even outside of this incident, to already assume that all of your information has been compromised anyway,” Waldman said. “I would contact all three credit bureaus and do what’s called freezing your credit … If you’ve got notifications that you can turn on, like your credit cards and your bank accounts, have them start notifying you about every transaction.”

Rhysida claimed responsibility for the hack, first detected by Columbus IT staff on July 18. While Ginther has said workers were able to stop the ransomware group from encrypting city systems and locking employees out, he did confirm personal data was accessed.

Rhysida wanted 30 bitcoin — or close to $2 million — in an auction of 6.5 terabytes of advertised stolen data. When no bidders surfaced, the group then publicly released 3.1 terabytes on the dark web.

Citizens react to becoming victims of data leak

NBC4 went door to door to hear from victims of the data leak. None of the people whose information had been posted to the dark web had been informed by the city. Many of them were concerned to learn they’d been impacted.

“We have a lot of information out there that we wouldn’t expect to get leaked,” said Joy Semei, whose father had his data stolen. “And that’s I feel like it’s just an invasion of privacy. And the fact that the city is not telling us is absolutely atrocious.”

Semei’s father had never been inside of city hall, but he had been to the Michael B. Coleman Government Center. She called on the city to better inform the public on the data breach.

“I think we need to let it be known what the city is hiding from us,” Semei said. “And we need to be aware because the fact that you have to come and tell us and that you’re not getting a letter from the city is absolutely ludicrous.”