Under a new law local governments and schools districts will have to make public why they are paying a ransom and provide a justification.
COLUMBUS, Ohio — On July 18, 2024, Columbus experienced one of its most significant crises in recent memory: a cyberattack that exposed sensitive personal data of roughly half a million residents to the dark web.
Initially, Mayor Andrew Ginther attempted to assuage public fear, suggesting the breach’s impact was limited. However, that reassurance was quickly challenged by cybersecurity experts, who confirmed that databases containing Social Security numbers and other private information were compromised, making the stolen material highly sensitive and valuable.
In response, city web services were temporarily shuttered — a drastic move, but one that officials say helped contain the fallout. One measure of relief: Columbus refused to pay a ransom to the attackers, a stance that aligns with federal cybersecurity recommendations.
Since the incident, Ginther reports that the city has ramped up both staffing and security precautions.
“We’ve made significant investments into improving and adding staff, and additional precautions, to our cyber security efforts to reduce risk and vulnerability in the future,” he said, vowing to prevent another breach of this magnitude.
But the breach’s effects rippled far beyond Columbus. In its wake, Ohio has enacted new requirements for government agencies statewide — extending to townships, villages, school districts and water authorities.
Effective in September, every audited entity must adopt systems to deter cyberattacks. The law comes with a catch: there’s no state funding for this mandate.
Gov. Mike DeWine requested funding but Kirk Herath, the chairman for Cyber Ohio, said it was stripped from the state budget.
Under House Bill 96, all affected agencies must report a cyber threat to the Department of Public Safety within seven days and notify the State Auditor within 30.
“We will have metrics as to how many ransomware attacks happened, where they attacked, what entities were attacked, how many breaches happened,” Herath said.
School districts, for example, can only comply with ransom demands if approved by their local board of education and other local governments require a formal justification and resolution.
As digital threats evolve, Ohio’s leadership emphasizes vigilance.
The chairman of Cyber Ohio noted, “Bad guys are constantly scanning us, trying to find holes in our armor,” reflecting the state’s ongoing challenges in defending critical infrastructure against relentless cybercriminals.
Herath says despite the attempted attacks, rarely are they successful. The last breach, he said, happened in 2023 against the Ohio Lottery.
Columbus’ ordeal and the legislative response is a stark reminder that cybersecurity breaches can shake communities to their core.
The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) released its 2024 Internet Crime Report. It collected 859,532 complaints of suspected internet crime and details reported losses exceeding $16 billion — a 33% increase in losses from 2023.
The top three cyber crimes, by number of complaints reported by victims in 2024, were phishing/spoofing, extortion, and personal data breaches. Victims of investment fraud, specifically those involving cryptocurrency, reported the most losses — totaling over $6.5 billion, according to the FBI.
Now, with stricter regulations but no new state funding, local agencies across Ohio face the daunting task of protecting their data and their citizens from a constantly shifting threat landscape.
If you are a public, local government entity, or a critical infrastructure operator experiencing a cyber incident, please contact The Ohio Cyber Integration Center at OCIC@dps.ohio.gov or call 614-387-1089.
If you are an Ohioan and want to report a scam, computer fraud or file a complaint, contact the Ohio Attorney General’s office or call 800-282-0515 (Monday – Friday, 8 a.m. – 6 p.m.).
