The City of St. Paul, Minnesota, suffered a **ransomware attack** starting on **July 25**, disrupting operations for weeks. The attack led to the **leak of 43 GB of city data** after officials refused to pay the ransom, though authorities claimed sensitive core systems (e.g., 911, payroll) remained unaffected. The breach exposed **employee data**, prompting the city to offer **identity theft protection and cybersecurity monitoring** for affected staff. Recovery involved a **17-day deployment of the Minnesota National Guard’s 177th Cyber Protection Team**, FBI, and CISA assistance. The city transformed **Roy Wilkins Auditorium into a secure operations hub**, requiring employees to verify identities and receive temporary passwords. Mayor Melvin Carter proposed a **$1.08 million cybersecurity investment** (including $700K one-time reserve and $381K ongoing support) to bolster defenses, citing the attack as a catalyst for long-term resilience. Despite disruptions, critical services remained operational, and most systems were restored by the time of the mayor’s September budget speech.
Source: https://www.govtech.com/security/st-paul-minn-proposes-1m-cyber-boost-after-cyber-attack
TPRM report: https://www.rankiteo.com/company/city-of-saint-paul
"id": "cit1302113091025",
"linkid": "city-of-saint-paul",
"type": "Ransomware",
"date": "7/2025",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'city employees (data '
'potentially exposed)',
'industry': 'public administration',
'location': 'St. Paul, Minnesota, USA',
'name': 'City of St. Paul, Minnesota',
'type': 'government (municipal)'}],
'customer_advisories': '1 year of identity theft protection and cybersecurity '
'monitoring offered to city employees',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': 'potential exposure of '
'city employee data '
'(mitigated with '
'identity theft '
'protection)',
'sensitivity_of_data': 'low (per city officials, core '
'sensitive systems not accessed)',
'type_of_data_compromised': 'city data (non-sensitive, per '
'city officials)'},
'date_detected': '2024-07-25',
'description': 'A ransomware attack on the City of St. Paul, Minnesota, began '
'on July 25 and unfolded over several weeks, disrupting city '
'operations. The attack prompted a 17-day deployment of the '
'Minnesota National Guard’s 177th Cyber Protection Team to '
'assist in recovery. The city refused to pay the ransom, and '
'the attackers published 43 GB of city data online. Despite '
'the breach, core services like 911 response and payroll '
'remained operational. The city invested $1.08 million to '
'bolster cybersecurity defenses post-incident.',
'impact': {'brand_reputation_impact': 'potential reputational damage due to '
'data breach and public disclosure',
'data_compromised': '43 gigabytes of city data (non-sensitive core '
'systems data, per city officials)',
'downtime': 'several weeks (partial outages, core services like '
'911 and payroll remained operational)',
'identity_theft_risk': 'city employees (mitigated by offering 1 '
'year of identity theft protection and '
'cybersecurity monitoring)',
'operational_impact': 'disruption of city operations, '
'transformation of Roy Wilkins Auditorium '
'into a secure operations hub for identity '
'verification and password resets',
'systems_affected': ['city digital systems (majority restored)',
'employee devices (temporarily locked until '
'identity verification)']},
'investigation_status': 'ongoing (FBI and CISA handling criminal '
'investigation)',
'lessons_learned': ['early investment in cybersecurity and having the right '
'personnel were critical to maintaining core services',
'importance of proactive cybersecurity defenses and '
'secure service delivery',
'need for robust identity verification processes during '
'incident response'],
'motivation': 'financial (ransom demand)',
'post_incident_analysis': {'corrective_actions': ['$1.08 million '
'cybersecurity investment',
'expansion of proactive '
'defenses',
'secure operations hub '
'setup for identity '
'verification',
'employee identity theft '
'protection']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': True},
'recommendations': ['$1.08 million investment in cybersecurity (one-time '
'$700,000 reserve + $381,000 ongoing support)',
'expansion of proactive cybersecurity defenses',
'doubling down on secure and transparent service delivery',
'providing identity theft protection and cybersecurity '
'monitoring for affected employees'],
'references': [{'source': 'City of St. Paul YouTube Channel (Mayor Melvin '
'Carter’s budget speech excerpt)'},
{'source': 'Minnesota Legislative Commission on Cybersecurity '
'(Aug. 27 update)'}],
'regulatory_compliance': {'regulatory_notifications': ['update to Minnesota '
'Legislative '
'Commission on '
'Cybersecurity (Aug. '
'27)']},
'response': {'communication_strategy': ['public address by Mayor Melvin '
'Carter (Sept. 4 budget speech)',
'update to Minnesota Legislative '
'Commission on Cybersecurity (Aug. '
'27)',
'YouTube video excerpt of mayor’s '
'remarks'],
'containment_measures': ['locking employee devices until '
'identity verification',
'issuing temporary passwords at a '
'secure operations hub (Roy Wilkins '
'Auditorium)'],
'enhanced_monitoring': 'proactive cybersecurity defenses '
'(expanded post-incident)',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['17-day deployment of cyber protection '
'team',
'transformation of Roy Wilkins Auditorium '
'into a secure operations hub'],
'remediation_measures': ['restoring systems with stronger '
'safeguards',
'expanding proactive cybersecurity '
'defenses'],
'third_party_assistance': ['Minnesota National Guard’s 177th '
'Cyber Protection Team (17-day '
'deployment)',
'FBI',
'Cybersecurity and Information '
'Security Agency (CISA)']},
'stakeholder_advisories': ['Mayor’s budget speech (Sept. 4)',
'update to Minnesota Legislative Commission on '
'Cybersecurity (Aug. 27)'],
'title': 'Ransomware Attack on the City of St. Paul, Minnesota',
'type': 'ransomware'}