Crisis24, the owner of the **CodeRED** emergency alert platform, suffered a **cyber attack** leading to a **data breach** where **names, addresses, email addresses, phone numbers, and passwords** of users (including 88,000 landline and 130,000 cell phone subscribers) were potentially leaked. The attack also **disabled the entire CodeRED system nationwide**, preventing critical emergency alerts (e.g., wildfires, active shooters) from being sent to residents. Law enforcement agencies, including **Douglas County Sheriff’s Office**, terminated contracts due to the **lack of notification** about the outage and breach, forcing them to rely on **social media and door-to-door alerts** as temporary measures. The breach exposed users to **credential stuffing attacks**, with experts warning of potential financial fraud if passwords were reused. Crisis24 confirmed the attack was **contained to the legacy CodeRED environment** but admitted the incident disrupted **public safety communications** across multiple states, raising concerns over the **reliability of emergency notification systems**.
Emergency Communications Network cybersecurity rating report: https://www.rankiteo.com/company/emergency-communications-network-llc
"id": "EME0664306112525",
"linkid": "emergency-communications-network-llc",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '88,000 landline users + 130,000 '
'cell phone users (DCSO '
'subscribers)',
'industry': 'Public Safety',
'location': 'Douglas County, Colorado, USA',
'name': "Douglas County Sheriff's Office (DCSO)",
'type': 'Law Enforcement Agency'},
{'industry': 'Public Safety',
'location': 'Thornton, Colorado, USA',
'name': 'Thornton Police Department',
'type': 'Law Enforcement Agency'},
{'industry': 'Public Safety',
'location': 'Arapahoe County, Colorado, USA',
'name': "Arapahoe County Sheriff's Office",
'type': 'Law Enforcement Agency'},
{'industry': 'Public Safety',
'location': 'Aurora, Colorado, USA',
'name': 'City of Aurora',
'type': 'Municipal Government'},
{'industry': 'Public Safety',
'location': 'Colorado, USA',
'name': 'State of Colorado (multiple agencies)',
'type': 'State Government'},
{'location': 'USA',
'name': 'Nationwide CodeRED Users',
'type': 'General Public'}],
'customer_advisories': ['Monitor financial accounts for suspicious activity.',
'Avoid password reuse; use password managers.',
'Sign up for alternative alert systems (e.g., FEMA '
'IPAWS for large-scale events).'],
'data_breach': {'data_exfiltration': 'Confirmed (data published online)',
'personally_identifiable_information': ['Names',
'Addresses',
'Email addresses',
'Phone numbers'],
'sensitivity_of_data': 'Moderate to High (risk of credential '
'stuffing and identity aggregation)',
'type_of_data_compromised': ['PII (Personally Identifiable '
'Information)',
'Authentication Credentials']},
'description': 'CodeRED, an emergency alert system owned by Crisis24 '
'(OnSolve), suffered a cyber attack in early [Month, Year not '
'specified]. The breach exposed user data (names, addresses, '
'emails, phone numbers, passwords) and caused system outages, '
'preventing law enforcement agencies from sending critical '
'alerts. Multiple Colorado agencies (e.g., Douglas County, '
'Thornton, Arapahoe County, Aurora) terminated or reevaluated '
'contracts due to the incident. Crisis24 confirmed the attack '
'was contained to the legacy OnSolve CodeRED platform, with '
'data published online by an organized cybercriminal group. '
'The company decommissioned the affected platform and '
"accelerated the rollout of a new system, 'CodeRED by "
"Crisis24'.",
'impact': {'brand_reputation_impact': 'Severe (loss of trust from public '
'safety agencies and residents; public '
'criticism for delayed disclosure)',
'customer_complaints': 'High (implied by public statements from '
'law enforcement and media coverage)',
'data_compromised': ['Names',
'Addresses',
'Email addresses',
'Phone numbers',
'Passwords (hashed/plaintext unclear)'],
'downtime': 'Nationwide outage (duration unspecified; at least two '
'weeks by disclosure time)',
'identity_theft_risk': 'High (credential reuse warnings issued; '
'potential for aggregation with other '
'breached data)',
'operational_impact': ['Inability to send emergency alerts (e.g., '
'wildfires, active shooters, prescribed '
'burns)',
'Manual workarounds required (social media, '
'door-to-door notifications)',
'Contract terminations/reevaluations by '
'multiple agencies'],
'payment_information_risk': 'Indirect (warning issued about bad '
'actors targeting banks/credit cards '
'using leaked credentials)',
'systems_affected': ['CodeRED emergency alert platform (legacy '
'OnSolve environment)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (data published '
'online; no explicit '
'mention of dark web '
'sales)',
'high_value_targets': ['User credentials (for '
'aggregation attacks)']},
'investigation_status': 'Ongoing (forensic analysis mentioned; no final '
'report cited)',
'lessons_learned': ['Proactive communication with stakeholders during '
'incidents is critical to maintain trust.',
'Legacy systems may pose higher risks and require '
'accelerated replacement.',
'Password reuse by users amplifies breach impacts; '
'education on password hygiene is essential.',
'Redundant alert systems are necessary for public safety '
'continuity.'],
'motivation': ['Financial Gain (credential stuffing/aggregation)',
'Disruption of Services'],
'post_incident_analysis': {'corrective_actions': ['Decommissioning of legacy '
'system.',
'Accelerated rollout of new '
"platform ('CodeRED by "
"Crisis24').",
'Public advisories on '
'password security.'],
'root_causes': ['Inadequate incident response '
'communication protocols.',
'Vulnerabilities in legacy OnSolve '
'CodeRED platform.',
'Delayed detection/response to the '
'attack.']},
'ransomware': {'data_exfiltration': 'Yes (data published online)'},
'recommendations': ['Implement real-time monitoring and alerting for system '
'outages.',
'Establish clear protocols for notifying affected parties '
'during breaches.',
'Conduct regular security audits of emergency '
'notification platforms.',
'Promote multi-factor authentication (MFA) and password '
'managers to users.',
'Develop backup communication channels for emergencies '
'(e.g., IPAWS, RAVE).'],
'references': [{'source': 'Denver7 News'},
{'source': "Douglas County Sheriff's Office (DCSO) Statements"},
{'source': 'Crisis24 Public Statement'},
{'source': 'Thornton Police Department Social Media'},
{'source': "Arapahoe County Sheriff's Office"},
{'source': 'City of Aurora Social Media'},
{'source': 'Dr. Steve Beaty (Metropolitan State University of '
'Denver)'}],
'response': {'communication_strategy': ['Limited (criticized by agencies for '
'lack of transparency)',
'Public statement via media (Denver7)',
'Advisories to users about password '
'reuse risks'],
'containment_measures': ['Decommissioning of legacy OnSolve '
'CodeRED platform',
'Isolation of affected environment'],
'incident_response_plan_activated': 'Yes (forensic analysis '
'conducted; platform '
'decommissioned)',
'law_enforcement_notified': 'Delayed (agencies learned of outage '
'only when alerts failed; no '
'proactive notification)',
'remediation_measures': ["Accelerated rollout of 'CodeRED by "
"Crisis24' platform"]},
'stakeholder_advisories': ['Users advised to change passwords if reused '
'elsewhere.',
'Agencies advised to transition to alternative '
'platforms (e.g., RAVE, IPAWS).'],
'threat_actor': 'Organized cybercriminal group',
'title': 'Cyber Attack on CodeRED Emergency Alert System Disrupts Services '
'Across Colorado and Nationwide',
'type': ['Data Breach', 'System Outage', 'Cyber Attack']}