Connect with us

Published

10 months ago

on

Ransomware has long been plaguing American municipalities. It appeared to be another typical ransomware attack that impacted the city of Columbus, Ohio, this past July. The city’s response to the hack, however, was not, and it has cybersecurity and legal experts across the country questioning its motives.

Connor Goodwolf (legal name is David Leroy Ross) is an IT consultant who plumbs the dark web as part of his job. “I track dark web-type crimes, criminal organizations, and stuff like what the Telegram CEO has been arrested for,” Goodwolf said.

So when word got out that the city of Columbus, his hometown, had been breached, Goodwolf did what he does: he poked around online. It didn’t take him long to discover what the hackers had in their possession.

“It wasn’t the biggest, but it was one of the most impactful breaches I have seen,” Goodwolf said.

In some ways, he described it as a routine breach, with personal identifiable information, protected health information, Social Security numbers and driver’s license photos exposed. However, because multiple databases were breached, it was more encompassing than other attacks. According to Goodwolf, the hackers had breached multiple databases from the city, the police, and the prosecutor’s office. There were arrest records and sensitive information about minors and domestic violence victims. Some of the breached databases, he says, went back to 1999. 

Goodwolf found over three terabytes of data that took over 8 hours to download.

“The first thing I see is the prosecutor’s database, and I’m like ‘holy sh-t’ these are domestic violence victims. When it comes to domestic violence victims, we need to protect them the most because they have already been victimized once, and now they are again by having their information exposed,” he said.

Goodwolf’s first action was to contact the city to let them know how serious the breach was, because what he saw contradicted official statements. At a press conference on August 13,  Columbus Mayor Andrew Ginther said: “The personal data that the threat actor published to the dark web was either encrypted or corrupted, so the majority of the data came by the threat actor is unusable.”

But what Goodwolf was finding didn’t support that view. “I tried to reach out to the city multiple times to multiple departments and was blown off,” he said.

Google-owned Mandiant, as well as many other top cybersecurity firms, have been tracking a continued increase in ransomware attacks, both in prevalence and severity, and the rise of the Rhysida Group behind the Columbus hack, which has come into prominence within the last year.

The Rhysida Group claimed responsibility for the hack. While not much is known about the cyber gang, Goodwolf and other security experts say they appear to be state-sponsored and based in Eastern Europe, possibly linked to Russia. Goodwolf says these ransomware gangs are “professional operations” with a staff, paid vacation, and PR people.

“They have ramped up the attacks and targets since last autumn,” he said.

The U.S. government’s Cybersecurity and Infrastructure Security Agency issued a bulletin about Rhysida last November.

Goodwolf said that because no one from the city responded to him he went to the local media and shared data with journalists to get the word out about the seriousness of the breach. And that is when he heard from the city of Columbus, in the form of a lawsuit and a temporary restraining order preventing him from disseminating additional information. 

The city defended its response in a statement to CNBC:

“The City initially moved to obtain this order, which was granted by the Court, to prevent the dissemination of sensitive and confidential information, potentially including the identities of undercover police officers, that threatens public safety and criminal investigations.”

The city’s temporary 14-day restraining order against Goodwolf has since expired, and now it has a preliminary injunction and an agreement with Goodwolf not to release more data.

“It should be noted that the Court order does not prohibit the defendant from discussing the data breach or even describing what kind of data was exposed,” the city’s statement added. “It simply prohibits the individual from disseminating the stolen data posted on the dark web. The City remains engaged with federal authorities and cyber security experts to respond to this cyber intrusion.”

Meanwhile, the mayor did have to perform a mea culpa at a subsequent press conference, saying his initial statements were based on the information he had at the time. “It was the best information we had at the time. Clearly, we discovered that that was inaccurate information and I have to accept responsibility for that.”

Realizing the exposure to residents was greater than first thought, the city is offering two years of free credit monitoring from Experian. This includes anyone who has had contact with the city of Columbus via an arrest or other business. Columbus is also working with Legal Aid to see what additional protections are needed for domestic violence victims who may have been compromised or need help with civil protection orders.

To date, the city has not paid the hackers, who were demanding $2 million in ransom.   

‘He’s Not Edward Snowden’

Those who study cybersecurity law and work within the realm expressed surprise at Columbus filing a civil lawsuit against the researcher.

“Lawsuits against data security researchers are rare,” said Raymond Ku, professor of law at Case Western Reserve University. On the rare occasion they do happen, he said, it is usually when the researcher is alleged to have disclosed how a flaw was or can be exploited, which would then allow others to take advantage of the flaw as well.

“He wasn’t Edward Snowden,” said Kyle Hanslovan, CEO of cybersecurity company Huntress, who described himself as troubled by the city of Columbus’s response and what it could mean for future breaches. Snowden was a government contract employee who leaked classified information and faced criminal charges, but considered himself a whistleblower. Goodwolf, Hanslovan says, is a Good Samaritan who independently found the breached data.

“In this case, it appears we have just silenced someone who, as far as I can tell, appears to be a security researcher who did the bare minimum and confirmed the official statements made were not true. This can’t possibly be an appropriate use of the courts,” Hanslovan said, predicting the case will be quickly overturned.

Columbus City Attorney Zach Klein said during a September press conference that the case was “not about freedom of speech or whistleblowing. This is about downloading and disclosure of stolen criminal investigatory records.”

Hanslovan worries about the ripple effect where cybersecurity consultants and researchers are afraid to do their jobs for fear of being sued. “The bigger story here is are we seeing the emergence of a new playbook” for hacking response in which individuals are silenced, and that should not be welcomed, he said. “Silencing any opinion, even for 14 days, could be enough to prevent something credible from coming to light, and that terrifies me,” Hanslovan said. “That voice needs to be heard. As we see bigger cybersecurity incidents come up, I am worried that folks will be more concerned bringing them to light.”

Scott Dylan, founder of United Kingdom-based venture capital firm NexaTech Ventures, also thinks the actions of the city of Columbus could induce a chilling effect on the field of cybersecurity.

“As the field of cyberlaw continues to mature, this case is likely to be referenced in future discussions about the role of researchers in the aftermath of data breaches,” Dylan said.

He says legal frameworks must evolve to keep pace with the sophistication of both cyberattacks and the ethical dilemmas they generate, and the approach taken by Columbus is a mistake.

Meanwhile, the legal process will grind on for Goodwolf. Despite Columbus and Goodwolf reaching an agreement last week on the dissemination of information, the city is still suing him for damages in a civil suit that could reach $25,000 or higher. Goodwolf is representing himself in his talks with the city, though says that he has a lawyer on standby, if needed.

Some residents have filed a class-action lawsuit against the city. Goodwolf says that 55% of the information breached has been sold onto the dark web, while 45% is available for anyone with the skills to access it.

Dylan thinks the city is taking a big risk, even if its actions may be legally defensible, by creating the appearance of an attempt to silence discourse rather than encourage transparency. “It’s a strategy that could backfire, both in terms of public trust and future litigation,” he said.

“I am hoping the city realizes the mistake of filing a civil suit and the implications not just on security,” Goodwolf said, noting that Intel is building a $1 billion facility in a Columbus suburb. In recent years, the city has been positioning itself as a new tech hub in the Midwest, and attacking white hats and cybersecurity researchers, he said, could cause some in the tech sector to rethink it as a location.

Related Topics:
Continue Reading

Technology

Nvidia says U.S. government will allow it to resume H20 AI chip sales to China

Published

1 hour ago

on

July 15, 2025

By

Nvidia says U.S. government will allow it to resume H20 AI chip sales to China

Nvidia CEO Jensen Huang attends a roundtable discussion at the Viva Technology conference dedicated to innovation and startups at Porte de Versailles exhibition center in Paris on June 11, 2025.

Sarah Meyssonnier | Reuters

Nvidia announced Tuesday that it hopes to resume sales of its H20 general processing units to clients in China, saying that the U.S. government had assured the company would be granted licenses.

Nvidia’s sales of the H20 chips, which had been designed specifically to keep them out of export controls on China, were halted in April.

“The U.S. government has assured NVIDIA that licenses will be granted, and NVIDIA hopes to start deliveries soon,” the company said in a statement.

This comes against the backdrop of a preliminary trade deal between Washington and Beijing last month that sought China to resume rare earth exports and the U.S. to relax tech export controls.

Nvidia CEO Jensen Huang in recent months has ramped up his lobbying against export controls, arguing that they inhibited American tech leadership. In May, Huang said chip restrictions had already cut Nvidia’s China market share nearly in half.

Huang also announced a new “fully compliant” GPU, NVIDIA RTX PRO, saying it was ideal for smart factories and logistics.

The potential change in U.S. stance follows a meeting between Huang and U.S. President Donald Trump last week.

In his meeting with Trump and U.S. policymakers, Huang had reaffirmed Nvidia’s support for the administration’s job creation and onshoring efforts, as well as the aim for America to lead in global AI, the company said.

Meanwhile, in Beijing, it was confirmed that Huang has met with government and industry officials to discuss the benefits of AI and ways for researchers to advance safe and secure AI for the benefit of all. 

Continue Reading

Technology

Cognition to buy AI startup Windsurf days after Google poached CEO in $2.4 billion licensing deal

Published

9 hours ago

on

July 14, 2025

By

Cognition to buy AI startup Windsurf days after Google poached CEO in .4 billion licensing deal

In this photo illustration, a man seen holding a smartphone with the logo of US artificial intelligence company Cognition AI Inc. in front of website.

Timon Schneider | SOPA Images | Sipa USA | AP

Artificial intelligence startup Cognition announced it’s acquiring Windsurf, the AI coding company that lost its CEO and several other senior employees to Google just days earlier.

Cognition said on Monday that it will purchase Windsurf’s intellectual property, product, trademark, brand and talent, but didn’t disclose terms of the deal. It’s the latest development in an AI talent war, as companies like Meta, Google and OpenAI fiercely compete for top engineers and researchers.

OpenAI had been in talks to acquire Windsurf for about $3 billion in April, but the deal fell apart, and Google said on Friday that it hired Windsurf’s co-founder and CEO Varun Mohan. Google is paying $2.4 billion in licensing fees and for compensation, as CNBC previously reported.

“Every new employee of Cognition will be treated the same way as existing employees: with transparency, fairness, and deep respect for their abilities and value,” Cognition CEO Scott Wu wrote in a memo to employees on Monday. “After today, our efforts will be as a united and aligned team. There’s only one boat and we’re all in it together.”

Cognition didn’t immediately respond to CNBC’s request for comment. Windsurf directed CNBC to Cognition.

Cognition is best known for its AI coding agent named Devin, which is designed to help engineers build software faster. As of March, the startup had raised hundreds of millions of dollars at a valuation of close to $4 billion, according to a report from Bloomberg.

Both companies are backed by Peter Thiel’s Founders Fund. Other investors in Windsurf include Greenoaks, Kleiner Perkins and General Catalyst.

“I’m overwhelmed with excitement and optimism, but most of all, gratitude,” Jeff Wang, the interim CEO of Windsurf, wrote in a post on X on Monday. “Trying times reveal character, and I couldn’t be prouder of how every single person at Windsurf showed up these last three days for each other and for our users.”

Wu said that the acquisition ensures all Windsurf employees are “treated with respect and well taken care of in this transaction.” All employees will participate financially in the deal, have vesting cliffs waived for their work to date and receive fully accelerated vesting for their, according to the memo.

“There’s never been a more exciting time to build,” Wu wrote.

WATCH: Google snatches Windsurf CEO after OpenAI deal dissolves

Google snatches Windsurf CEO after OpenAI deal dissolves

Continue Reading

Technology

Musk’s xAI faces European scrutiny over Grok’s ‘horrific’ antisemitic posts

Published

9 hours ago

on

July 14, 2025

By

Musk's xAI faces European scrutiny over Grok's 'horrific' antisemitic posts

The Grok logo is being displayed on a smartphone with Xai visible in the background in this photo illustration on April 1, 2024. 

Jonathan Raa | Nurphoto | Getty Images

The European Union on Monday called in representatives from Elon Musk‘s xAI after the company’s social network X, and chatbot Grok, generated and spread anti-semitic hate speech, including praise for Adolf Hitler, last week.

A spokesperson for the European Commission told CNBC via e-mail that a technical meeting will take place on Tuesday.

xAI did not immediately respond to a request for comment.

Sandro Gozi, a member of Italy’s parliament and member of the Renew Europe group, last week urged the Commission to hold a formal inquiry.

“The case raises serious concerns about compliance with the Digital Services Act (DSA) as well as the governance of generative AI in the Union’s digital space,” Gozi wrote.

X was already under a Commission probe for possible violations of the DSA.

Read more CNBC tech news

Grok also generated and spread offensive posts about political leaders in Poland and Turkey, including Polish Prime Minister Donald Tusk and Turkish President Recep Erdogan.

Over the weekend, xAI posted a statement apologizing for the hateful content.

“First off, we deeply apologize for the horrific behavior that many experienced. … After careful investigation, we discovered the root cause was an update to a code path upstream of the @grok bot,” the company said in the statement.

Musk and his xAI team launched a new version of Grok Wednesday night amid the backlash. Musk called it “the smartest AI in the world.”

xAI works with other businesses run and largely owned by Musk, including Tesla, the publicly traded automaker, and SpaceX, the U.S. aerospace and defense contractor.

Despite Grok’s recent outburst of hate speech, the U.S. Department of Defense awarded xAI a $200 million contract to develop AI. Anthropic, Google and OpenAI also received AI contracts.

CNBC’s April Roach contributed to this article.

Continue Reading

Trending