Nearly two years after the July 18, 2024 cyberattack that knocked large swaths of Columbus’ IT infrastructure offline, the city still has not published the full after-action report officials once promised. Residents and some elected leaders say the silence has left basic questions about scope, accountability and what sensitive records were exposed hanging in the air.
As WBNS reported on March 24, 2026, the comprehensive analysis the mayor pledged after the incident remains out of public view, with city leaders still saying the investigation is ongoing. That local report notes departments were taken offline for days while forensic teams scrambled to secure systems and figure out exactly what data had been hit.
What investigators have said so far
The breach began on July 18, 2024, and the Rhysida ransomware group later claimed to have exfiltrated as much as 6.5 terabytes of city data, according to reporting that reviewed regulatory filings and dark-web postings. TechCrunch and other outlets documented disputes between city officials, who initially described some files as likely corrupted or unusable, and independent researchers who said leaked files appeared intact. Early local findings about the types of records that surfaced online were first reported in a major data breach story.
City response and lingering outages
The city says its Department of Technology severed external connectivity, brought in federal partners and has provided two years of Experian credit monitoring to impacted individuals, according to official notices. In February 2025 the City of Columbus acknowledged that a limited amount of protected health information was involved and began notifying affected people. Some public-facing tools, notably the Division of Police online report portal, remained offline many months after the attack, limiting access to records and crime-mapping data. WCMH/NBC4 highlighted the prolonged portal outage in mid-2025.
Legal fallout and accountability
The fight over what can be disclosed has also spilled into court. Columbus sued a security researcher who publicly analyzed leaked files, and a judge granted a temporary restraining order, as SC Media reported. Private plaintiffs later filed suits alleging harms from exposed employee and victim data, though a judge dismissed some claims on immunity grounds in 2025, according to reporting that originally ran in The Columbus Dispatch. Those rulings have only intensified demands from advocates and some councilmembers for a full public accounting and independent oversight…