Local Politics: Data breach adds to list of Mayor Andrew Ginther’s failures

The City of Columbus suffered a data breach on July 18 that exposed, among other data, the private information of everyone who has visited City Hall. And yet, when the breach occurred, city officials failed to notify anyone that their security might have been compromised. 

Coincidentally, on July 19, the CrowdStrike outage occurred, which made the city’s technical issues and email outage appear to be a CrowdStrike-related problem. But when other systems began to come back online and city emails were still not operational on July 22, the data leak was discovered by residents.

On July 22, I received an email from a colleague who works for the city, informing me and some others that city email addresses could not send or receive messages, and that this had been true since the previous Thursday. I posted on X (formerly Twitter) about the email outage at around 1 p.m.

Seven hours later, at 8 p.m., Mayor Andrew Ginther posted a statement to X that read: “The City of Columbus is working diligently to restore its systems following a cybersecurity incident. The city’s Department of Technology identified an abnormality unrelated to the global IT outage while monitoring its systems on Thursday, July 18th. The Department took swift action to significantly limit potential exposure, which included severing internet connectivity. This proactive action has resulted in outages to some resident-facing IT services, which may take time to restore. However, the city’s 9-1-1 and 3-1-1 systems, as well as employee payroll, remain operational. The city has engaged law enforcement and cybersecurity experts to eradicate the threat, comply with applicable law and limit further risk. If individuals are impacted, they will receive notification.” 

As time went on, we learned that some payroll systems and 311 were operating on a manual input basis, and that law enforcement systems, including the ability for officers to use LEADS (Law Enforcement Automated Data System), were also impacted.

Local media reported quite a bit on this story, and even interviewed Ginther multiple times. But rather than admit facts that had been independently verified, such as the release of the personal data of the news stations’ own employees, Ginther continued to lie, saying that the stolen data was “corrupted or likely unusable,” which was not the case. He also said attempts made by the cybercriminals to encrypt city data had been “thwarted,” downplaying the severity of and scope of the breach. This led to some news stations disclaiming his statements and cutting his interview clips short.

Speaking from personal experience, I know for certain that my private information was released, because I have visited City Hall multiple times over the past few years and had my driver’s license scanned each time. Even so, I haven’t received any official notification from the city. I have happened to see news articles published online with instructions for residents on how to sign up for a credit monitoring service being offered by the city.

This brings us to the real questions: Why hasn’t Columbus notified the people impacted that their information has been compromised? And why does Ginther continue to lie about the scope of the data released by hackers?

The answer is a bit of a catch-22 for residents. While many of us are victims of the data breach, we are also the ones who will ultimately pay any lawsuit settlements or jury verdicts out of our tax dollars. This means that the more truthful Ginther is in his disclosures, the more leverage the law firm representing residents in a lawsuit will have, and the more tax dollars the city will eventually pay out to resolve the lawsuit. It’s bad all around!

As is typically the case with large class action lawsuits, each victim is likely to come out at the end with a check of miniscule value, with the representing law firm collecting about a third of the total settlement. 

Attorneys at Cooper Elliott and Meyer Wilson have already filed a class action lawsuit against the city for the data breach. These firms have offices at Nationwide Boulevard and Neil Avenue. Cooper Elliott has recently been in the news related to representation of clients such as the family of Donovan Lewis and one of the victims of the Fire Ball ride breakdown at the Ohio State Fair.

The lawsuit began as a claim against the city on behalf of police officers whose leaked financial information may have been used to harm their credit, and whose undercover status may have been revealed. With the addition of everyone whose information was leaked, the suit has now transformed into one that could involve every adult in the city.

We know that 77 percent of Columbus police officers don’t live in the city, so forcing the taxpayers of Columbus to give them even more money is nothing new. But with the potential addition of every resident whose data was leaked, we are essentially battling against ourselves. Personally, I’d rather see that money be spent on finally buying my neighborhood some sidewalks.

We can put all of this nonsense at the feet of Ginther. At a minimum, if he had been honest and released information when the data was first leaked, we all could have done something to protect ourselves. If that had been the case, the amount of any lawsuit settlement likely would have been much lower. But he didn’t do that. He decided to remain quiet until July 22, making a statement only after the news got out on its own. And then he lied continuously even before the lawsuit was filed.

Columbus residents might be mad about this tremendous failure, but Ginther voters are ultimately the reason we’re in this situation. It seems to me that corruption has been endorsed each time voters have gone to the polls and touched the screen next to Ginther’s name. But then when things like this data breach and subsequent cover up occur, people tend to complain as if they were somehow fooled.

The voters of Columbus in some sense asked for this. They reelected a man whose wife worked for OhioHealth at the same time the city donated land and fully funded the new OhioHealth Route 315 off ramp. A man who was involved in asking red light camera company Redflex for a $20,000 “success fee” before he was even elected as mayor. A man who most recently was accused of making improper contact with the judge presiding over the city’s attempted shutdown of a West Side bus terminal. He hasn’t been hiding who he is. Voters have simply been lying to themselves.

I’ve never voted for Ginther. I know I won’t get the chance to vote against him again, since we’re likely counting down the months until City Council president Shannon Hardin is anointed the next mayor. But I have to live by the decisions of my neighbors, a majority of whom seem to think that a “D” next to a name on a ballot means that the person automatically deserves to hold office.

Ultimately, we get what we vote for.