Key Takeaways
- The City of St. Paul detected a cybersecurity breach on July 25, 2023, prompting a full network shutdown to contain the incident.
- Mayor Melvin Carter declared a local state of emergency, and Governor Tim Walz deployed the Minnesota National Guard’s 177th Cyber Protection Team to assist.
- The compromised data resided on a shared Parks and Recreation Department drive and included employee ID photos, work documents, and personal files such as recipes; no core systems like payroll or licensing were affected.
- Officials determined that the hackers did not obtain sensitive or valuable information, as they released the data for free online after the city refused to pay a ransom.
- Affected individuals are being offered one year of free IDX identity‑protection services and can contact a dedicated call center at 1‑888‑204‑2071 for assistance.
- A forensic investigation and an independent After‑Action Review have been completed, and the city is implementing the review’s recommendations to strengthen future defenses.
- Residents and employees can view the full investigation report at StPaul.gov/2025CyberIncident.
Detection and Initial Response
On July 25, 2023, the City of St. Paul’s information security team identified anomalous activity indicative of a cyber intrusion. Recognizing the potential severity, officials immediately ordered a complete shutdown of the city’s computer networks to halt any further data exfiltration. This decisive action, while disruptive to municipal services, was intended to limit the attackers’ ability to move laterally within the environment and to preserve evidence for forensic analysis. The shutdown also triggered the city’s incident‑response plan, which mobilized internal IT staff, external cybersecurity consultants, and law‑enforcement liaisons to begin containment and eradication efforts.
State of Emergency and National Guard Assistance
In tandem with the technical response, then‑Mayor Melvin Carter issued a declaration of a local state of emergency, granting the city additional authority to allocate resources and expedite procurement of emergency services. Acknowledging the specialized nature of the threat, Governor Tim Walz activated the Minnesota National Guard’s 177th Cyber Protection Team. The Guard’s cyber specialists worked alongside city personnel to conduct threat hunting, malware analysis, and system restoration, providing critical expertise that helped accelerate the recovery process while maintaining operational security.
Scope and Source of Compromised Data
Investigators traced the breach to a shared network drive utilized by the Parks and Recreation Department. Employees commonly stored a variety of files on this drive, ranging from work‑related documents to personal items such as scanned identification cards, recipes, and informal notes. Because the drive was not integrated with core municipal systems—such as payroll, licensing, or emergency services—the attackers did not gain access to those higher‑value repositories. The data that was exfiltrated therefore consisted largely of non‑critical, mixed‑content files that, while potentially revealing personal details, did not encompass the comprehensive datasets typically targeted in ransomware or espionage campaigns.
Assessment of Data Sensitivity and Ransom Dynamics
City officials emphasized that the information posted by the hackers lacked the sensitivity or monetary value that would motivate a ransom demand. After the intrusion, the threat actors released the stolen files onto a public forum without requesting payment, a behavior consistent with actors seeking notoriety rather than financial gain. The city’s refusal to entertain any ransom negotiation further underscored its stance against rewarding criminal conduct. Subsequent analysis indicated that no resident‑specific identifiers—such as names, addresses, or phone numbers—were present in the leaked material, reducing the risk of identity theft or fraud stemming directly from this incident.
Notification and Identity‑Protection Offer
Having completed a thorough forensic review, the City of St. Paul began notifying all individuals whose personal information may have been accessed. As part of its commitment to mitigate potential harm, the city is providing one year of complimentary IDX identity‑protection services to each affected party. This service includes credit monitoring, dark‑web surveillance, and identity‑theft insurance, aiming to detect any misuse of personal data swiftly and to offer remediation support if needed. The notification letters detail the steps recipients can take to enroll in the protection program and outline additional precautionary measures they may consider.
Dedicated Call Center for Public Assistance
To address questions and concerns arising from the breach, the city established a dedicated call center staffed by trained representatives. The hotline, reachable at 1‑888‑204‑2071, operates during extended hours to accommodate varying schedules and provides assistance in multiple languages. Callers can verify whether they have been notified, learn how to activate the IDX services, obtain guidance on safeguarding personal information, and receive updates on the city’s ongoing remediation efforts. The center also logs inquiries to help the city gauge public sentiment and identify any emerging issues that may require further communication.
Forensic Investigation, After‑Action Review, and Recommendations
A third‑party forensic investigator was engaged to examine the compromised data, map the attack vectors, and determine precisely which records were accessed. Upon completion of this review, the city conducted an independent After‑Action Review (AAR) that evaluated the effectiveness of its detection, response, and recovery procedures. The AAR highlighted strengths—such as the rapid network shutdown and interagency collaboration—while also identifying gaps in network segmentation, employee awareness training, and incident‑response documentation. The city has pledged to implement the AAR’s recommendations, which include tightening access controls on shared drives, enhancing multi‑factor authentication, and conducting regular tabletop cyber‑exercises.
Continuous Improvement and Public Transparency
In the aftermath of the incident, St. Paul’s administration under Mayor Kaohly Her is prioritizing long‑term resilience. This involves updating the city’s cybersecurity policy framework, investing in advanced threat‑detection tools, and fostering a culture of security awareness among all employees. To maintain transparency, the city has published the full investigation report at StPaul.gov/2025CyberIncident, allowing residents, businesses, and other stakeholders to scrutinize the findings and the remedial roadmap. By openly sharing lessons learned and demonstrating concrete steps toward stronger defenses, St. Paul aims to restore public confidence and reduce the likelihood of similar incidents in the future.

