When St. Paul, Minnesota, announced it was investigating a “digital security incident,” the news quickly drew attention — not just from residents, but from cybersecurity professionals across the country. Municipalities operate critical infrastructure and deliver public services, making them a prime target for cyber attacks.
Ransomware activity has reached historically high levels, with Check Point Research reporting a 126 percent year-over-year increase in publicly claimed victims during the first quarter of 2025. Local governments are especially susceptible due to tight budgets, outdated infrastructure and a shortage of skilled IT staff.
St. Paul’s incident is part of a larger pattern affecting municipalities across the country. In 2019, Baltimore suffered a RobbinHood ransomware attack that shut down multiple city services. While the ransom demand was just $76,000 in Bitcoin, recovery costs eventually exceeded $18.2 million, covering technology upgrades, consulting fees and lost revenue.
6 Steps to Protect Against Cybersecurity Attacks
- Fund cybersecurity as essential infrastructure.
- Follow proven playbooks.
- Train employees regularly.
- Adopt zero-trust principles.
- Test recovery plans.
- Identify a trusted data recovery partner in advance.
Atlanta faced a similar crisis in 2018 when the SamSam ransomware disrupted everything from police services to municipal court systems. The city spent at least $2.6 million in recovery — far more than the roughly $50,000 ransom demand.
And in July 2025, Ridgefield Public Schools in Connecticut detected an active encryption attempt on its network. By taking systems offline immediately and engaging law enforcement, the district prevented a full-scale ransomware lockout and served as a reminder that swift action can contain damage even after an attack begins.
St. Paul leaders have since confirmed that they experienced a ransomware attack, but they didn’t identify the incident as such right away. Their response offers lessons for cities everywhere — from the language leaders choose to the speed and structure of their communications. It’s also a reminder that, when a cyber attack happens, recovery is not just about restoring systems; it’s about regaining access to critical data quickly and securely so public services can continue.
What Happened in St. Paul?
In late July 2025, St. Paul city officials announced they were responding to what they described as a “digital security incident.” Public updates explained that certain city services were disrupted, but essential operations — including emergency response and public utilities — remained unaffected.
The choice of words was deliberate. At the time of the announcement, investigators had not confirmed whether ransomware or another form of cyber attack was to blame. Calling it a “digital security incident” allowed officials to communicate the seriousness of the situation without making claims that might later prove inaccurate.
In the early stages of a cyber event, language matters. Terms like breach or ransomware carry strong implications and can shape public perception, media coverage and even the attacker’s leverage. By using measured language and sharing only verified facts, city or company leaders can maintain credibility, avoid unnecessary alarm and give their technical teams space to focus on the investigation and recovery.
Role of Leadership in Crisis
How leaders communicate during a cyber incident can have as much impact as the technical response itself. In St. Paul, Mayor Melvin Carter and his team demonstrated the value of a steady, coordinated approach. Public messaging was centralized through designated spokespeople, including the mayor himself, ensuring updates were consistent and based on confirmed facts.
This approach aligns closely with the CISA Incident Response Plan Basics, which recommends assigning a communications manager to oversee public information, preparing holding statements in advance and defining clear roles for who speaks — and who doesn’t — during an incident. The goal is to avoid conflicting narratives, maintain trust and prevent misinformation from spreading.
Effective leadership means having the right resources in place before an incident occurs. This includes not only having cybersecurity experts and incident responders on standby, but also establishing a relationship with a trusted, secure data recovery company that specializes in restoring data after a cyber attack. When systems are compromised, this foresight can be the difference between restoring critical information or losing it forever.
Why Transparency Matters
For municipal governments, transparency during a cyber incident isn’t just good practice — it’s part of their responsibility to the public. When essential services are disrupted, residents deserve clear, accurate updates about what’s happening, what’s being done, and how it might affect them.
That said, transparency doesn’t mean sharing every detail. The CISA Incident Response Plan Basics emphasizes the importance of releasing only confirmed information and avoiding technical specifics that could hinder the investigation or aid the attacker. By designating a communications manager and preparing pre-approved messaging templates, cities can respond quickly while keeping the narrative factual and consistent.
In St. Paul’s case, regular updates reassured residents that emergency services and public utilities were operational. That detail mattered. It prevented unnecessary panic and demonstrated that the city was prioritizing both public safety and public trust — a balance every municipality should strive for when responding to a digital crisis.
The Cost of Getting a Cybersecurity Incident Response Wrong
When a municipality suffers a cyber incident, the price tag is rarely just the cost of new hardware or consulting fees. The more lasting damage often comes from lost public trust. Residents rely on city governments to keep essential services running and to be honest about challenges when they arise. If communication is slow, inconsistent or misleading, rebuilding that trust can take far longer than restoring systems.
There’s also the operational cost of disruption. Even temporary outages in billing systems, permit processing, or public records access can ripple outward, delaying projects and eroding confidence in city operations. These indirect costs may not make headlines, but they can have a significant impact on the community and its economy.
Data recovery is another critical factor. After a system is technically restored, files may remain encrypted, corrupted or otherwise inaccessible. When organizations already have a trusted data recovery provider in their incident response plan, that pre-established relationship ensures the technical team can immediately begin retrieving critical data, rather than losing valuable time researching vendors during a crisis.
A strong incident response plan is as much about leadership and communication as it is about technology. Done well, it allows a city to address the immediate threat while preserving — and sometimes strengthening — its relationship with the people it serves.
Building Resilience
As noted earlier, ransomware activity has reached historically high levels — and there’s no indication the threat is going away. Even when attack volume dips from a peak, the overall baseline risk remains far higher than it was just a few years ago.
For cities, resilience has to be engineered into day-to-day operations, not bolted on after an incident. Practical moves are well-documented: enforce multi-factor authentication on privileged accounts, keep software and firmware patched, segment networks to limit blast radius, and maintain offline or immutable backups — and, crucially, practice restoring them so recovery becomes muscle memory. CISA’s #StopRansomware guidance also recommends preparing an incident playbook with a response checklist so technical containment, communication, and legal notifications aren’t improvised under pressure.
Resilience also means planning for the worst-case scenario: backups fail, files are encrypted, and urgent or critical data is inaccessible. Having a pre-selected, trusted, and secure data recovery partner in the plan ensures that, if attacked, the city can move directly into recovery mode without scrambling to find help. This foresight can shorten downtime, preserve critical records, and keep public services running in the face of serious disruption.
The strategic layer matters too. Adopting zero-trust principles — verify explicitly, use least-privilege access and monitor continuously — works hand-in-hand with these practices, helping leaders protect services, shorten downtime and preserve public trust even when the headlines aren’t ideal.
Key Takeaways From the St. Paul Cyber Attack
Incidents like the one in St. Paul, Minnesota — and the many that have come before it — show that digital preparedness isn’t optional. It’s a core function of governing in the modern, technology-driven world. For municipal leaders, that means:
- Fund cybersecurity as essential infrastructure. Security tools, training, and staffing must be part of the baseline budget, not discretionary spending.
- Follow proven playbooks. Use frameworks like CISA’s Incident Response Plan Basics to define roles, streamline communication, and reduce guesswork during a crisis.
- Train employees regularly. Phishing awareness, password hygiene and simulated attack exercises keep staff ready for the real thing.
- Adopt zero-trust principles. Assume every user, device, and connection must be verified, and segment networks to limit potential damage.
- Test recovery plans. Regularly rehearse restoring from offline backups so systems can be brought back online quickly and securely.
- Identify a trusted data recovery partner in advance. Building that relationship before a crisis means help is ready the moment it’s needed, reducing downtime and safeguarding critical information.
By treating cyber resilience as an ongoing commitment rather than a one-time project, municipalities can respond to incidents with confidence — and, in many cases, prevent them from becoming full-scale crises.
