Cyber Incident Victim: Mandan, Hidatsa, and Arikara Nation

On April 28, 2021, the Three Affiliated Tribes—comprising the Mandan, Hidatsa, and Arikara Nation—publicly disclosed a ransomware attack that compromised their servers. The malicious software rendered critical tribal information inaccessible, disrupting internal operations by blocking access to files, email systems, and other essential data repositories. The announcement, directed to staff and employees, confirmed the server breach but did not specify the exact timing of the initial intrusion or the method of infiltration. While the tribe attributed the incident to ransomware, no details were provided regarding ransom demands, payment negotiations, or whether data exfiltration occurred. The attack paralyzed administrative functions dependent on the compromised systems, though the full scope of affected services or departments remained unclarified in public statements.

The incident highlighted broader challenges in tracking cyber threats against tribal entities, as no centralized database documents the frequency or severity of such attacks on Indigenous nations. Cybersecurity & Infrastructure Security Agency (CISA) advisories noted ransomware groups increasingly target state, local, tribal, and territorial governments, often threatening to leak or sell stolen data unless ransoms are paid. Independent monitoring by DataBreaches.net identified at least three other tribes—Squamish Nation, Washoe Tribe, and Colorado River Indian Tribes—listed on ransomware leak sites around the same timeframe, with data either auctioned or publicly dumped. No confirmation existed regarding whether the Three Affiliated Tribes’ data appeared on these sites or whether formal breach notifications were issued to individuals. The lack of standardized reporting mechanisms for tribal cyber incidents compounded difficulties in assessing defensive measures or recovery actions undertaken by the Hidatsa-affiliated administration following the attack.