Columbus (Ohio) Fire Fighters Union IAFF Local 67 and Fraternal Order of Police Lodge 9 have filed a class action lawsuit on behalf of their members following a ransomware cyberattack on the city’s information technology. The attack is believed to have occurred on July 18, 2024, and resulted in the theft of the employees’ personal and confidential information.
The suit was filed in Franklin County Court of the Common Pleas alleging negligence and breach of contract. The suit was brought in the names of John Doe and Jane Doe. Quoting from the complaint:
- Defendant failed to comply with industry standards to protect information systems that contain personal identifiable information (PII). As a result, on or about July 18, 2024, Defendant was the target of a ransomware cyberattack on its information technology (IT) system, resulting in the theft of PII belonging to Plaintiffs’ and the proposed class defined below. Plaintiffs bring this class action against Defendant for its failure to properly secure the PII of Plaintiffs and members of the proposed Class.
- The PII includes, among other things, Plaintiffs’ names, addresses, birth dates, driver’s license numbers, Social Security numbers, and financial account information.
- Plaintiffs seek, among other things, orders requiring Defendant to fully and accurately disclose the nature of the information that has been compromised and to adopt sufficient security practices and safeguards to prevent incidents like the data breach described herein in the future. Plaintiffs also seek reimbursement of their actual losses, compensatory and punitive damages, attorney fees, all costs associated with reclaiming and protecting their identities, and monitoring costs.
- On July 29, 2024, Defendant boasted that it had “thwarted” the attempt of “a foreign cyber threat actor” to disrupt the City’s IT infrastructure. Shortly thereafter, however, current and former employees of the City, including employees of the Columbus Police Department and the Columbus Fire Department, reported to the City that they were victims of fraudulent transactions, that they were alerted to attempted illicit uses of their PII on the dark web, and that their information was now present on the dark web as a result of the City being hacked.
- Despite these reports, on August 13, 2024, Mayor Ginther held a news conference in which he told reporters that “the data stolen during the ransomware attack on the city was corrupted or likely unusable.” The Mayor’s assertion was quickly contradicted by a cybersecurity expert who located some of the data stolen from the City that was available on the dark web.
Here is news video coverage of the suit, and below is a copy of the complaint.