Cyber Incident Victim: Spokane County

Hackers gainedaccess to the company that provides Spokane County's emergency alert notifications system in November 2025 as part of a broader cyberattack that disrupted local governments and first responders nationwide. Spokane County had relied on the Crisis24‑owned OnSolve CodeRED platform since 2017 to host its ALERT Spokane program, according to Chandra Fox, deputy director of Spokane County Emergency Management. Fox said attorneys representing Crisis24 informed her that Spokane County users were not affected by the data breach, but the attack rendered the CodeRED system inaccessible, preventing anyone from logging in to compose or send alerts. Approximately one week passed before OnSolve notified the county that the outage resulted from a cyberattack, which Fox described as having all but destroyed the CodeRED system and prompting Crisis24 to decommission its legacy platform entirely. The disruption was not isolated to Spokane County; agencies and governments across the country, including multiple counties in California, Colorado, and Florida, as well as Washington’s King County and Idaho’s Ada County, reported similar inability to access the CodeRED service for emergency notifications. In response to the loss of its primary alerting tool, Spokane County turned to the Washington State Alert and Warning Center and the Federal Integrated Public Alert and Warning System to disseminate emergency messages, requiring staff to call the state to have alerts sent on behalf of the county or responding agencies. Fox noted that the county did not issue a public notification of the attack earlier because it remained capable of sending emergency notifications to residents through a backup system, ensuring that no impact occurred on the ability to message the public during the incident.

The breach exposed certain subscriber data, including usernames, phone numbers, and inactive, outdated passwords that had been deactivated and changed during a 2015 platform migration, according to a December 22 update from Crisis24 that was shared with and published by the city of Mt. Lebanon, Pennsylvania. Hackers also obtained usernames linked to encrypted passwords, although the passwords themselves remained unreadable and unidentified. The attack has been attributed to the INC Ransomware group, which has claimed responsibility for other high‑profile breaches such as those affecting Scotland’s National Health Service, Xerox Business Solutions’ U.S. offices, and Yamaha Motors Philippines. The group posted online screenshots of alleged stolen customer data, including email addresses and associated clear‑text passwords, and shared what it described as ransom negotiation details. Crisis24 initially offered $100,000 to the attackers, later increasing the offer to $150,000, both of which were rejected. Fox said the unsatisfactory manner in which Crisis24 responded to the incident was a primary factor in the county’s decision to discontinue business with the company. In the aftermath, Crisis24 released a newer iteration of the CodeRED platform that it markets as more secure and has been working rapidly to migrate government and law‑enforcement partners from the old system. Spokane County, however, has opted not to continue with Crisis24 and intends to seek a new provider. Fox said she hopes to present a new contract with an alternative vendor to the Spokane County Commission for approval by the end of February 2026, noting that the emergency‑notification industry has evolved significantly since the county’s original 2017 agreement and that options now exist with advanced capabilities—such as mapping functions—that could integrate well with recent upgrades at the Spokane Regional Emergency Communications Center. The county’s goal remains to provide the most effective alerting capability for its residents.