Officials shut down city systems on Monday to contain a data breach that started late Friday. It was a “complete network shut down” of Wi-Fi and Internet-based systems, though 911 and emergency response remained unaffected.
July 29, 2025 •
Frederick Melo, Pioneer Press
(TNS) — St. Paul Mayor Melvin Carter declared a state of local emergency on Tuesday following a days-long cyber attack on the city’s Internet-based computer networks that led the city to call in the FBI and Gov. Tim Walz to enlist the aid of the Minnesota National Guard’s cybersecurity experts.
The data breach has left officials in St. Paul city government scrambling, leaving the city on Monday to conduct a precautionary “complete network shut down” of its Wi-Fi and Internet-based systems, from public computer terminals within the St. Paul libraries to key networks at City Hall. As a result, most city services remain offline, other than 911 and other public safety operations.
The investigation, which has roped in the FBI and national cybersecurity experts, is being treated as a criminal matter. The mayor said he was not aware of any request for ransom, though the city is not the lead investigator, and it was unclear what information, if any, had been stolen.
“This was a deliberate, coordinated, digital attack carried out by a sophisticated external actor, intentionally and criminally targeting our city’s information infrastructure,” said Carter on Tuesday, during a press conference outside the mayor’s office that also was attended by St. Paul Police Chief Axel Henry and a number of City Hall officials.
The state of local emergency declaration authorizes the city department of Emergency Management and the Office of Technology and Communications to call in support from local, state and federal partners while coordinating a response across city departments.
“We are the victim of a serious crime,” said Jaime Wascalus, director of the city’s Office of Technology and Communications, following the mayor’s remarks.
Carter joined Human Services Director Toni Newborn in a phone call Tuesday with leaders of the city’s labor unions to alert them to the situation and address concerns, such as future payroll.
FIRST DETECTED FRIDAY
The breach was first detected Friday, according to the mayor’s office, and began with a report of suspicious activity to the Office of Technology and Communications, which discovered “an active digital security incident” that “impacted the integrity of city information.”
Chief Information Security Officer Stefanie Horvath said the city’s EDR — or Endpoint Detection and Response System — is intended to function “like a force field on your computer” and alerted the city to “nefarious activity” on Friday, spurring “containment actions.”
“We’ve never experienced this before,” said Horvath, at the press conference. “But right now we have contained the risk to city systems. … It’s been a very long 24 hours, as you can well imagine.”
The mayor’s administration alerted city department directors, and the city’s cybersecurity protection team found the breach was coming from within the city’s servers. Affected accounts were deactivated, and the city hired a national cybersecurity firm for “advanced forensic investigation, containment and strategic response planning,” according to the mayor’s office.
On Monday, the mayor’s administration put the city’s Emergency Operations Center in charge of managing the city’s response to the breach.
To make it difficult for third parties to steal sensitive information, a VPN, or Virtual Private Network, allows for an encrypted connection over the Internet, with the goal of enhancing security and privacy as data travels online, particularly on public networks. The VPN routes Internet traffic through a remote server, masks its origin, or IP address, and encrypts it.
‘COMPLETE NETWORK SHUTDOWN’
On Monday, the city disabled VPN access for all computer users except law enforcement and others needing access to public safety data, and the city “initiated a complete network shutdown to contain the incident,” according to the mayor’s office.
The shutdown disabled public-facing Internet computer terminals throughout the library system and other Internet-based and Wi-Fi enabled systems, rendering many city services inoperable. The city’s libraries and rec centers remained open Tuesday, without Internet access.
The shutdown was “a proactive step,” according to the mayor’s office, and “not the result of the ongoing digital security incident.”
Ramsey County’s information systems were not affected by the digital security incident or the precautionary network shutdown, though the county took steps “to limit digital interactions while we continue to monitor the situation,” according to a statement from county officials.
Walz issued an executive order Tuesday deploying cyber protection experts from the Minnesota National Guard to assist St. Paul, and “to ensure continuity of vital services and the safety and security of St. Paul residents,” said the governor’s office, in a written statement.
