The City of St. Paul experienced a ransomware attack that disrupted critical municipal services for nearly three weeks. Hackers, attributed to a known cybercriminal group, breached the city’s systems and exfiltrated data, including work documents and copies of IDs belonging to Parks and Recreation employees. While the mayor confirmed no critical personal data of city employees or the public was accessed, the attack forced a system-wide shutdown, requiring over 3,000 employees to reset digital credentials. Online payment services for utilities (water, garbage) and department customer service lines were temporarily disabled, though later restored. The Minnesota National Guard’s cyber team was deployed to assist recovery, and the city remains in an active recovery phase with no confirmed timeline for full restoration. Financial costs and potential long-term reputational damage are still being assessed, with the mayor stating expenses will be disclosed post-recovery. The incident underscores vulnerabilities in government cybersecurity, prompting warnings for other entities to bolster defenses against similar threats.
TPRM report: https://www.rankiteo.com/company/city-of-saint-paul
"id": "cit638081725",
"linkid": "city-of-saint-paul",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': 'Residents relying on city '
'services (e.g., water, garbage, '
'parks and rec)',
'industry': 'Public Administration',
'location': 'St. Paul, Minnesota, USA',
'name': 'City of St. Paul, Minnesota',
'size': 'Large (3,500+ employees)',
'type': 'Municipal Government'}],
'customer_advisories': ['Restoration notices for online services',
'Guidance on service disruptions'],
'data_breach': {'data_encryption': 'Likely (ransomware attack)',
'data_exfiltration': 'Confirmed (hackers released some data '
'online)',
'file_types_exposed': ['Documents', 'ID scans/images'],
'personally_identifiable_information': 'Yes (employee IDs)',
'sensitivity_of_data': 'Moderate (IDs and internal documents)',
'type_of_data_compromised': ['Employee work documents',
'Copies of employee IDs']},
'date_detected': "Approximately 2023-07-10 (based on 'nearly three weeks ago' "
'from late July/early August reports)',
'date_publicly_disclosed': 'Late July 2023 (when Minnesota National Guard was '
'called in)',
'description': 'The City of St. Paul detected a cyberattack nearly three '
'weeks ago that disrupted various city services. The attack '
'was confirmed as ransomware, with hackers releasing some '
'stolen data online, including work documents and copies of '
'IDs from parks and recreation employees. The Minnesota '
"National Guard's cyber team provided surge support, and "
'recovery efforts are ongoing. Online payment services for '
'water and garbage, as well as department customer service '
'lines, have been restored. Over 3,000 city workers have '
'undergone digital credential resets, with more in progress. '
'The city has not yet disclosed the financial cost of '
'recovery, and no timeline for full restoration has been '
'provided.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'public disclosure of breach and data '
'leaks',
'data_compromised': ['Work documents',
'Copies of IDs (parks and rec employees)'],
'downtime': "Ongoing (as of early August 2023, 'active recovery' "
'phase)',
'financial_loss': 'Undisclosed (to be shared post-recovery)',
'identity_theft_risk': 'Moderate (IDs of parks and rec employees '
'exposed)',
'operational_impact': ['Disruption of city services',
'Credential reset process for employees',
'System cleanup and restoration'],
'systems_affected': ['Online payment services (water, garbage)',
'Customer service lines',
'Digital credentials (3,000+ employees)',
'City IT infrastructure']},
'initial_access_broker': {'high_value_targets': ['City employee data',
'Internal documents']},
'investigation_status': "Ongoing ('active recovery' as of early August 2023)",
'motivation': ['Financial (ransomware)', 'Data theft', 'Disruption'],
'post_incident_analysis': {'corrective_actions': ['Credential resets',
'System cleanup',
'Potential future '
'cybersecurity '
'enhancements']},
'ransomware': {'data_encryption': 'Likely', 'data_exfiltration': 'Confirmed'},
'references': [{'date_accessed': '2023-08',
'source': '5 EYEWITNESS NEWS (KSTP)',
'url': "https://kstp.com/ (inferred from '5 EYEWITNESS NEWS' "
'mention)'},
{'date_accessed': '2023-08',
'source': 'City of St. Paul Mayor’s Office',
'url': 'https://www.stpaul.gov/ (likely source of official '
'updates)'},
{'date_accessed': '2023-08-03 (mentioned in article)',
'source': 'Minnesota National Guard Press Release'}],
'response': {'communication_strategy': ['Public updates from Mayor Melvin '
'Carter',
'Media relations (e.g., 5 EYEWITNESS '
'NEWS)',
'Advisories on city service impacts'],
'containment_measures': ['Surge support from National Guard',
'Isolation of affected systems'],
'incident_response_plan_activated': 'Yes (Minnesota National '
'Guard cyber team deployed)',
'law_enforcement_notified': 'Likely (given involvement of '
'National Guard and public '
'statements)',
'recovery_measures': ['Restoration of online payment services',
'Restoration of customer service lines',
'Ongoing system recovery'],
'remediation_measures': ['Digital credential resets for 3,000+ '
'employees',
'System cleanup'],
'third_party_assistance': ['Minnesota National Guard Cyber Team',
'Potential other cybersecurity firms '
'(e.g., 360 Security Services '
'mentioned as example)']},
'stakeholder_advisories': ['Public updates from Mayor’s office',
'Media briefings'],
'threat_actor': 'Unnamed ransomware group (took credit for the attack)',
'title': 'Ransomware Attack on the City of St. Paul, Minnesota',
'type': ['Cyberattack', 'Ransomware']}