If state capital infrastructure can be breached, every organization needs to reassess
In July 2024, the City of Columbus, Ohio became the target of one of the most significant municipal cyberattacks in recent U.S. history. The Rhysida ransomware group breached the city's systems, exfiltrated approximately 6.5 terabytes of data, and ultimately exposed the personal information of more than 500,000 residents and city employees on the dark web. For businesses across Ohio, from Newport, Kentucky through Cincinnati, Dayton, and up to Columbus itself, this breach carries urgent lessons that demand attention.
What Happened
The Rhysida group, a ransomware-as-a-service operation that has targeted government agencies, healthcare organizations, and educational institutions worldwide, gained access to Columbus city government systems in mid-2024. The attackers spent time inside the network before deploying ransomware, a pattern known as "dwell time" that allowed them to locate and exfiltrate massive volumes of data before the city even knew they were there.
The stolen data included employee names, Social Security numbers, bank account details, driver's license information, and other personally identifiable information. Resident data was also compromised, including records from city services that contained sensitive personal and financial details. When the city refused to pay the ransom, Rhysida published a significant portion of the stolen data on their dark web leak site, making it freely available to anyone who knew where to look.
The fallout was severe. The city faced class-action lawsuits from affected employees and residents. Critical city services were disrupted for weeks. The recovery effort consumed enormous resources, and the reputational damage to the city's IT operations was substantial. Columbus initially downplayed the severity of the breach, which further eroded public trust when the full scope became clear.
Lesson 1: No Organization Is Too Big or Too Small to Be Targeted
Columbus is the largest city in Ohio, with a dedicated IT department, cybersecurity staff, and a significant technology budget. If a city of that size and sophistication can be breached, the idea that any organization is "too small to be a target" or "too big to fall" should be permanently retired. Ransomware groups are opportunistic. They scan for vulnerabilities at scale, and they do not discriminate based on the size of the organization. A 25-person accounting firm in Dayton and the state capital's IT infrastructure are both potential targets. The difference is often whether basic security controls are in place, not whether the attacker considers you worth attacking.
Lesson 2: Data Encryption at Rest Is Not Optional
One of the most critical takeaways from the Columbus breach is the importance of encrypting sensitive data at rest. When attackers exfiltrate data from your systems, encryption is your last line of defense. If the stolen files are properly encrypted with keys the attackers do not possess, the data is useless to them even after they have taken it. Too many organizations treat encryption as a "nice to have" feature rather than a fundamental security requirement. Every database containing PII, financial records, or confidential business information should be encrypted at rest using industry-standard encryption. This includes local servers, cloud storage, backup systems, and archived data. If Columbus had implemented comprehensive encryption at rest across its data stores, the impact of the exfiltration could have been dramatically reduced.
Lesson 3: Incident Response Planning Must Be Tested
Having an incident response plan on paper is not the same as having one that works. The Columbus breach revealed challenges in the city's ability to quickly assess the scope of the attack, communicate accurately with the public, and coordinate recovery efforts. An effective incident response plan needs to be tested regularly through tabletop exercises and simulated breach scenarios. Your plan should clearly define who makes decisions during an incident, how communications are handled internally and externally, what technical steps are taken to contain and remediate the breach, and how evidence is preserved for potential legal and law enforcement proceedings. If your incident response plan has never been tested, it is not a plan. It is a document.
Lesson 4: Know Your Notification Obligations
Ohio law requires businesses to notify affected individuals "in the most expedient time possible and without unreasonable delay" when a data breach involving personal information occurs. The notification must include specific information about the breach and the data compromised. Failure to comply can result in regulatory action and significantly increase your legal exposure in the event of lawsuits. Beyond state requirements, businesses in regulated industries may have additional notification obligations under HIPAA, PCI-DSS, or other frameworks. Your incident response plan should include a notification timeline and pre-drafted templates so you are not scrambling to figure out your obligations while simultaneously trying to contain an active breach.
Lesson 5: Dwell Time Is the Silent Killer
The Rhysida group did not breach Columbus and immediately deploy ransomware. They spent time inside the network, moving laterally, escalating privileges, and identifying the most valuable data to steal. This dwell time is where the real damage happens in modern ransomware attacks. The ransomware deployment itself is often the final step after the attackers have already taken everything they want. Detecting threats during the dwell time period requires active monitoring, not just perimeter defenses. Endpoint detection and response (EDR) tools, network traffic analysis, and security information and event management (SIEM) systems are designed to identify suspicious activity before it becomes a full-blown breach. For businesses that cannot staff a security operations center around the clock, managed detection and response (MDR) services provide this critical capability.
What This Means for Your Business
The Columbus breach is not a distant news story. It happened in our state, to our state's capital city, affecting over half a million of our neighbors. For every business operating between Newport, Kentucky and Columbus, Ohio, the message is clear: assess your security posture now, not after an incident forces you to.
Start with the basics. Ensure multi-factor authentication is enabled on every account. Verify that your data is encrypted at rest and in transit. Test your backups and confirm they are isolated from your production network. Review and test your incident response plan. Implement continuous monitoring to detect threats during the critical dwell time window. And if you do not have the internal resources to do these things, partner with a managed security services provider that can.
The cost of prevention is always a fraction of the cost of recovery. The City of Columbus is learning that lesson at enormous expense. Your business does not have to.
Key Takeaways
- Encrypt sensitive data at rest -- it is your last line of defense when attackers exfiltrate data from your systems.
- Detect threats during dwell time with EDR, network monitoring, and managed detection and response (MDR) services before ransomware is deployed.
- Test your incident response plan through tabletop exercises and know your Ohio notification obligations before a breach forces you to figure them out.