Cyber Incident Report — July 2, 2026

RE: Investigation Report per Minn. Stat. § 13.055 

On July 25, 2025, the City’s cybersecurity systems detected suspicious activity involving compromised accounts tied to a critical backup server. The City immediately deactivated the accounts, isolated affected servers, and began enhanced monitoring.  

On July 26, the City engaged a cybersecurity vendor—a nationally recognized incident response firm—to help contain the threat and conduct a forensic investigation. By July 27, the City took additional precautions by disabling VPN access for most employees to prevent further attacker movement across the network. On July 28, the City shut down the broader network to stop the attacker and eradicate them from City systems. During this time, the City also partnered closely with law enforcement.

On August 11, 2025 a set of data was exposed on the threat actor's leak site after the City refused to pay a demanded ransom. The exposed material came from a Parks and Recreation network drive, and did not include core city service-related data. The City immediately began a careful review of the data to determine what was accessed and who may have been affected.  

Collectively, the data security breach involved the theft of approximately 43 gigabytes of data. This included personal identifying information on a total of 12,484 individuals, including some current and former employees, interns, volunteers, and participants in the City’s Parks recreational activities. The impacted non-public data included names, addresses, telephone numbers, dates of birth, and Social Security numbers. Due to the volume of the information, the City worked with an outside vendor to review this data and identify all affected individuals.  

Upon completion of the cataloguing and verification of the potentially improperly accessed data, the City provided notifications to affected persons required under Minnesota law. 

Received a notification? Contact our dedicated call center for support.

The attacker exposed about 43GB of data from a Saint Paul Parks and Recreation network drive. The City first disclosed this information on August 11, 2025. Since then, the City has contracted with a forensic investigator to securely review the affected data and identify individuals whose information may have been improperly accessed. That review is now complete, and individual notification is being sent to affected employees and residents. 

The City has partnered with IDX to establish a dedicated call center to answer questions from people who receive a notification or believe they may be affected. The call center can be reached at 1-888-204-2071. 

Contact the IDX Call Center

Frequently Asked Questions