City of Columbus: Vendor Notification of Cybersecurity Incident

This letter was emailed to City of Columbus Vendors regarding the cybersecurity breach

To our respected vendor and supplier contacts: 

The City of Columbus (the “City”), recently discovered that it was the victim of a criminal cybersecurity incident that may trigger contractual notification obligations. Please note that an investigation is still ongoing to determine the full scope of this incident. For that reason, this notice is being provided as a courtesy in a good-faith effort to alert our vendors and suppliers. If during the continuing investigation it is discovered that your vendor data was accessed, we will provide an additional notice directly to you, pursuant to the notice obligations described in the agreements related to your services. 

What Happened?
On July 18, 2024, the City discovered that it had experienced a cybersecurity incident, in which a foreign cyber threat actor attempted to disrupt the City’s IT infrastructure, in a possible effort to deploy ransomware and solicit a ransom payment from the City. The City’s continuing investigation of the cyber security incident has determined that the threat actor gained unauthorized access to the City’s technology infrastructure. Further discovery indicated the incident allowed the threat actor to view and access certain personal information, which may, or may not, include data in connection with certain vendor services. The incident was discovered expeditiously, cyber security experts were promptly retained, federal law enforcement was engaged, and proper security measures were conducted to contain the incident. 

What Information Was Involved?
The information accessed by the threat actor included personal information of City employees, former City employees, residents of the City or other individuals including minors who may have interacted with the City, such as their first and last name, date of birth, address, bank account information, driver’s licenses,  Social Security number, and other identifying information. More specifically, if you handle, store, or access any data in connection with the City, there is the potential those documents were accessed by the criminal threat actors and you may have legal duties to notify individuals whose information resided in documents of this ransomware attack.

What Are We Doing?
We take the protection of the data and information that we retain seriously and are taking steps to prevent a similar occurrence. Upon learning of the incident, the City’s Department of Technology quickly identified the threat and took action to limit potential exposure by severing internet connectivity and mobilizing a response team. The City engaged cyber security experts to provide expertise and guidance in navigating the incident, and while the threat actor’s activity was disrupted, an investigation is still ongoing to determine the full extent of the incident. 

For More Information.
Vendors who believe they may have data impacted by this incident should go to www.columbus.gov/Services/Cybersecurity and access the Vendor tab for more information. For further questions or concerns, please email databreachteam@dinsmore.com.

Thank you for your immediate attention to this situation, as well as your understanding in the short-term. Please be assured that the security, safety and stability of our vendors, suppliers, employees, residents, and visitors, is of the utmost importance to us and is our top priority. While the investigation is still ongoing, we wanted to keep you informed and assure you that we will provide further updates as soon as more details are available. If we determine that your data or system has been affected in connection with this incident, or your organization has proprietary reporting requirements regarding incidents of this nature, we will follow up with you as necessary.

Regards,