Cyber Incident Victim: City of Columbus
Date:
Jul 2024
Location:
United States of America
Summary
The City of Columbus experienced a cybersecurity incident after its technology department detected a system abnormality unrelated to the global CrowdStrike outage. Initial findings suggest an employee clicked a malicious email link, prompting immediate containment measures including internet disconnection to limit exposure. This action disrupted resident-facing IT services, though critical operations like 911, 311, and payroll systems remained functional. An investigation is ongoing to determine whether personal data was compromised, with notifications promised if impacts are confirmed. The municipality is currently in the eradication and recovery phase, collaborating with law enforcement and cybersecurity experts to restore systems and mitigate further risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 18, 2024, the City of Columbus Department of Technology identified evidence of an abnormality within its systems, initiating a cybersecurity incident response unrelated to the contemporaneous global CrowdStrike IT outage. Preliminary investigation indicated the incident likely originated from a city employee clicking a malicious link delivered via email, though the exact source remained under active scrutiny. The city implemented immediate containment measures, including severing internet connectivity across affected systems to limit potential data exposure and mitigate further compromise. These proactive protective actions disrupted numerous resident-facing IT services, with restoration expected to require extended time due to the complexity of system recovery processes. Critical infrastructure including emergency 911 dispatch, non-emergency 311 services, and employee payroll systems remained operational throughout the incident. The city did not initially confirm whether unauthorized access to personal identifiable information occurred, committing to notify individuals if investigations revealed compromised data.
Columbus officials transitioned to the eradication and recovery phase of incident response following initial containment, collaborating with law enforcement agencies and external cybersecurity experts to eliminate persistent threats and restore full system functionality. The deliberate internet disconnection caused significant operational disruptions to municipal services utilized by both employees and residents, though no specific restoration timeline was publicly disclosed. Ongoing forensic analysis focused on determining the scope of accessed data, attack vectors, and potential exfiltration of sensitive information. City leadership, including Mayor Andrew J. Ginther, emphasized transparency through public statements while maintaining operational continuity for essential services. The incident remained under criminal investigation with no attribution to specific threat actors disclosed in available public records.