Cyberattackers Leak Parks and Rec Data After St. Paul, MN, Refuses to Pay Ransom
Hackers who targeted the city of St. Paul, MN, in a cyberattack last month published stolen data online after the city refused to pay them a ransom, Mayor Melvin Carter said Monday.
The 43 gigabytes of data largely appear to have come from a computer network drive used by the Parks and Recreation department where employees stored personal files and are not tied to core systems like payroll or licensing, the mayor said.
Some of the files included images of employee identification cards submitted to human resources, work documents, or even “personal items like recipes.” Carter said the contents are “varied and unsystematic.”
It’s still unclear if the hackers gained access to any other city data in their attack. Since they might have more, Carter said the city should remain cautious.
“While the scope of what they published against us is far smaller than what they’ve accomplished elsewhere, the fact remains: Someone was inside our systems,” he told reporters. “Once that happens, there’s no way to guarantee that they could not have access to more.”
Data posted online
Until this point, the city had said there was no evidence that it had any data stolen.
Carter said city officials and investigators didn’t believe the hackers had any data of serious value because they didn’t attempt to sell it and instead posted it for free online.
Gov. Tim Walz activated the Minnesota National Guard to provide the city with cybersecurity specialists, and the FBI is investigating the attack. Carter said both advised against paying a ransom.
Still, cybersecurity experts and information technology staff continue to comb through every corner of the city’s computer networks to ensure there are no remaining traces of the attack.
City officials have said there’s no evidence that resident information like names, addresses, and phone numbers was affected.
Bill payment information, like credit card numbers, is generally handled by “cloud-based” applications and should not have been affected by the hack, Carter said.
Who is responsible?
City officials still haven’t shared how much money hackers demanded or the exact nature of their threats.
But the mayor confirmed that St. Paul was targeted by a ransomware variant known as “Interlock,” and that the origin of the attack is a “sophisticated, money-driven organization known for stealing and selling massive volumes of sensitive information from large corporations, hospitals, and governments.”
The federal government’s Cybersecurity and Infrastructure Security Agency issued a warning about Interlock attacks on July 22. The ransomware variant was first identified in September 2024.
It’s unclear where the hackers are located, and there’s still concern that the group responsible for the cyberattack could continue attempting to extort the city.
Systems offline
St. Paul shut down its computer systems after learning of the cyberattack on July 25. Many city services have been disrupted as a result, but officials say the move was necessary to prevent hackers from doing more damage.
Many services remain offline weeks later, including the St. Paul Regional Water Services’ online payment portal. Public libraries are open, but their computers aren’t functioning, presenting a challenge for searching and organizing collections.
City human resources departments had to manually build spreadsheets in a makeshift office in order to make payroll on time, Carter said last week. The city said each employee got paid on time on Aug. 8.
Laptops in police cars also were affected, though emergency services such as 911 are still functioning.
Reset effort
In response to the attack, the city has called thousands of employees to report for in-person password changes and equipment inspections.
The effort started Sunday at 6 a.m., and the city’s goal is to process all 3,500 employees with login information by the end of Tuesday. The operation runs until 10 p.m. each night.
Employees have been reporting to a sprawling operation in the basement of Roy Wilkins Auditorium at the RiverCentre in downtown St. Paul to get new credentials.
As of around 5:30 p.m. Monday, more than 2,000 had gone through the process, according to the city.
Once a sufficient number of employees have new credentials, the city can begin reactivating systems, said Mary Gleich-Matthews, deputy chief information officer for St. Paul’s Office of Technology and Communication.
Carter said he expects that to start before the end of the week. It’s still not clear how much the effort will cost.
“If there’s a fire, we put out the fire and figure out how much the water costs later,” he said.
---
©2025 MediaNews Group, Inc.
Visit at twincities.com.
Distributed by Tribune Content Agency, LLC.