A cyberattack on **OnSolve’s CodeRED**—a cloud-based emergency alert system used by U.S. state/local governments, police, and fire agencies—disrupted critical notification services, preventing geo-targeted warnings (calls, texts, emails) during emergencies. The **INC Ransom** group claimed responsibility, encrypting files on **November 10, 2025**, after gaining access on **November 1**. The attack compromised user data, including **names, addresses, email addresses, phone numbers, and passwords**, though no financial data was exposed. While the stolen data (e.g., .csv files from databases) was not yet leaked online, the group threatened to sell it after OnSolve refused a **$100,000 ransom**. The incident forced the decommissioning of the old CodeRED platform, with customers migrated to a new, audited system. The outage directly impacted public safety communications, risking delayed emergency responses for agencies relying on the service. OnSolve failed to report the breach to authorities initially, exacerbating reputational and operational damage.
Emergency Communications Network cybersecurity rating report: https://www.rankiteo.com/company/emergency-communications-network-llc
"id": "EME3841238112625",
"linkid": "emergency-communications-network-llc",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'emergency notification services',
'location': 'United States',
'name': 'OnSolve',
'type': 'private company'},
{'industry': 'public safety',
'location': 'University Park, Texas, USA',
'name': 'City of University Park, Texas',
'type': 'local government'},
{'industry': 'emergency services',
'location': 'United States',
'name': 'U.S. state and local governments, police, and '
'fire agencies (users of CodeRED)',
'type': ['government agencies',
'public safety organizations']}],
'customer_advisories': 'Users advised to change passwords reused elsewhere; '
'no financial data impacted',
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'file_types_exposed': ['.csv files (containing user data)'],
'personally_identifiable_information': ['names',
'addresses',
'email addresses',
'phone numbers',
'account passwords'],
'sensitivity_of_data': 'high (includes passwords, which could '
'enable credential stuffing attacks)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)']},
'date_detected': '2025-11-01',
'date_publicly_disclosed': '2025-11-26',
'description': 'A cyberattack on the OnSolve CodeRED alert platform disrupted '
'emergency notification services used by U.S. state and local '
'governments, police, and fire agencies. The INC Ransom group '
'claimed responsibility, potentially compromising user data '
'including names, addresses, email addresses, phone numbers, '
'and passwords. The City of University Park, Texas, reported '
'the incident, noting that while no financial data was '
'exposed, reused passwords should be changed. OnSolve is '
'migrating customers to a new, secured platform after '
'decommissioning the compromised system.',
'impact': {'brand_reputation_impact': 'Potential damage due to data breach '
'and service disruption',
'data_compromised': True,
'downtime': True,
'identity_theft_risk': 'High (due to compromised PII: names, '
'addresses, emails, phone numbers, '
'passwords)',
'operational_impact': 'Disruption of emergency alert services for '
'U.S. state, local, police, and fire '
'agencies',
'payment_information_risk': 'None (no financial data collected by '
'CodeRED)',
'systems_affected': ['OnSolve CodeRED alert platform (previous '
'version)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened (two .csv '
'files listed for sale on '
"INC Ransom's Tor leak "
'site)',
'high_value_targets': ['user databases (containing '
'PII)']},
'investigation_status': 'Ongoing (no stolen data found online as of '
'disclosure, but future leaks possible)',
'motivation': ['financial gain', 'data theft', 'reputation damage'],
'post_incident_analysis': {'corrective_actions': ['Decommissioning of '
'compromised platform',
'Migration to new, secured '
'environment',
'Security audit and '
'penetration testing',
'System hardening']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$100,000',
'ransomware_strain': 'INC Ransom'},
'recommendations': ['Change passwords reused across multiple accounts',
'Monitor for potential identity theft or credential '
'stuffing attacks',
'Ensure vendors implement robust security measures (e.g., '
'penetration testing, hardening)',
'Avoid paying ransoms to threat actors'],
'references': [{'date_accessed': '2025-11-26',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.co/wordpress/149820/cyber-crime/onsolve-codered-cyberattack.html'},
{'date_accessed': '2025-11-26',
'source': 'City of University Park, Texas - Emergency '
'Notification'}],
'response': {'communication_strategy': ['public notification by City of '
'University Park',
'advisory to change reused passwords',
'transparency about potential future '
'data leaks'],
'containment_measures': ['decommissioning of compromised CodeRED '
'platform',
'migration to new secure platform'],
'incident_response_plan_activated': True,
'recovery_measures': ['migration of all customers to new '
'platform'],
'remediation_measures': ['full security audit',
'penetration testing',
'system hardening',
'new platform built in uncompromised '
'environment'],
'third_party_assistance': ['external security experts (for '
'penetration testing and hardening)']},
'stakeholder_advisories': 'City of University Park notified residents; '
'OnSolve working with customers on migration to new '
'platform',
'threat_actor': 'INC Ransom group',
'title': 'Cyberattack on OnSolve CodeRED Disrupts Emergency Alert Services',
'type': ['cyberattack', 'ransomware', 'data breach']}