Cyber Incident Victim: City of Saint Paul
Date:
Jul 2025
Location:
United States of America
Summary
The City of Saint Paul experienced a cyber attack that disrupted its digital services, forcing the shutdown of most internet-based systems and internal networks. In response, the mayor declared a state of emergency, activating the Emergency Operations Center and prompting a full network containment effort. The city coordinated with state and federal partners, including the Minnesota National Guard and FBI, while maintaining emergency and public safety operations. Attackers released personal data from Parks and Recreation files after a ransom demand went unpaid, though core systems like payroll remained secure. Recovery remains ongoing, supported by $1.2 million in state aid and additional cybersecurity funding to restore services and enhance protections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the morning of July 29, 2025, the City of Saint Paul’s information security team detected suspicious activity within the city’s internal systems, confirming a coordinated digital attack by malicious threat actors. In immediate response, city leaders, in consultation with local and external partners, proactively restricted access to targeted internal systems and initiated a full network shutdown to contain the threat. Mayor Carter swiftly declared a state of emergency, authorizing the Departments of Emergency Management and the Office of Technology and Communications (OTC) to mobilize support from local, state, and federal partners. The city activated its Emergency Operations Center to lead response efforts, with staff working around the clock alongside national cybersecurity partners, the Minnesota Information Technology Services team, and federal law enforcement to investigate the incident, implement containment strategies, and begin rebuilding secure systems. While the city’s network remained offline as a precaution, all mission-critical operations, including emergency response and public safety services, were maintained without interruption. The full extent of the attack, including whether any sensitive information was accessed, remained under investigation at that time.
The cyber attack forced the city to shutter most Internet-based services, including public computer terminals at libraries, bill payment services, and phone communications, disrupting digital services for several weeks. Governor Tim Walz responded by issuing an executive order that activated cybersecurity specialists from the Minnesota National Guard, and the FBI and private consultants quickly became involved in the investigation and recovery. With a demanded ransom going unpaid, the cyber-attackers eventually released data from personal files held by Saint Paul Parks and Recreation workers onto the Internet; however, according to the mayor’s office, those files did not involve information from core systems like payroll or licensing. While most public-facing services were restored within a month, some behind-the-scenes work to shift, recreate, or safeguard digital services remained ongoing. In February 2026, Governor Walz authorized $1.2 million in state emergency disaster assistance to address the cybersecurity incident, ensuring the continued provision of essential services and enhancing protective measures. The 2026 city budget also included more than $1 million in added cybersecurity funding to restore systems and further safeguard digital services, though a precise tally of all actual costs related to the attack was not immediately available.