ST. PAUL, Minn. — St. Paul Mayor Melvin Carter declared a state of local emergency on Tuesday following a days-long cyberattack on the city’s Internet-based computer networks that led the city to call in the FBI and Gov. Tim Walz to enlist the aid of the Minnesota National Guard’s cybersecurity experts.

The data breach has left officials in St. Paul city government scrambling, leaving the city on Monday to conduct a precautionary “complete network shut down” of its Wi-Fi and Internet-based systems, from public computer terminals within the St. Paul libraries to key networks at City Hall. As a result, many city services remain offline, other than 911 and other public safety operations.

The investigation, which has roped in the FBI and national cybersecurity experts, is being treated as a criminal matter. The mayor said he was not aware of any request for ransom, though the city is not the lead investigator, and it was unclear what information, if any, had been stolen.

It’s also unclear who orchestrated the attack, or if they accessed any private employee or citizen data or other sensitive information, but the city is taking the unprecedented step of effectively unplugging itself from the Internet as a precaution. Libraries, rec centers and other buildings remain open, but with no access to Internet-based services.

“This was a deliberate, coordinated, digital attack carried out by a sophisticated external actor, intentionally and criminally targeting our city’s information infrastructure,” said Carter on Tuesday, during a press conference outside the mayor’s office that also was attended by St. Paul Police Chief Axel Henry and a number of City Hall officials.

The state of local emergency declaration authorizes the city department of Emergency Management and the Office of Technology and Communications to call in support from local, state and federal partners while coordinating a response across city departments.

“We are the victim of a serious crime,” said Jaime Wascalus, director of the city’s Office of Technology and Communications, following the mayor’s remarks.

Carter joined Human Services Director Toni Newborn in a phone call Tuesday with leaders of the city’s labor unions to alert them to the situation and address concerns, such as future payroll. “Obviously, we’re concerned about payroll, but we’re waiting to hear more about the situation,” said Max Hall, a spokesperson for the American Federation of State, County and Municipal Employees, which represents many of the city’s workers.

The breach was first detected Friday, according to the mayor’s office, and began with a report of suspicious activity to the Office of Technology and Communications, which discovered “an active digital security incident” that “impacted the integrity of city information.”

Chief Information Security Officer Stefanie Horvath said the city’s EDR — or Endpoint Detection and Response System — is intended to function “like a force field on your computer” and alerted the city to “nefarious activity” on Friday, spurring “containment actions.”

“We’ve never experienced this before,” said Horvath, at the press conference. “But right now we have contained the risk to city systems. … It’s been a very long 24 hours, as you can well imagine.”

The mayor’s administration alerted city department directors, and the city’s cybersecurity protection team found the breach was coming from within the city’s servers. Affected accounts were deactivated, and the city hired a national cybersecurity firm for “advanced forensic investigation, containment and strategic response planning,” according to the mayor’s office.

On Monday, the mayor’s administration put the city’s Emergency Operations Center in charge of managing the city’s response to the breach.

To make it difficult for third parties to steal sensitive information, a VPN, or Virtual Private Network, allows for an encrypted connection over the Internet, with the goal of enhancing security and privacy as data travels online, particularly on public networks. The VPN routes Internet traffic through a remote server, masks its origin, or IP address, and encrypts it.

On Monday, the city disabled VPN access for all computer users except law enforcement and others needing access to public safety data, and the city “initiated a complete network shutdown to contain the incident,” according to the mayor’s office.

The shutdown disabled public-facing Internet computer terminals throughout the library system and other Internet-based and Wi-Fi enabled systems, rendering many city services inoperable. The city’s libraries and rec centers remained open Tuesday, without Internet access.

The shutdown was “a proactive step,” according to the mayor’s office, and “not the result of the ongoing digital security incident.”

Walz issued an executive order Tuesday deploying cyber protection experts from the Minnesota National Guard to assist St. Paul, and “to ensure continuity of vital services and the safety and security of St. Paul residents,” according to the governor’s office.

A Minnesota National Guard spokesperson did not specify how many guard members had been deployed, other than to say it was “a limited number of specialty experts.”

“Our service members bring years of specialized training and operational experience in cybersecurity,” said Army Brig. Gen. Simon Schaefer, the guard’s Director of Joint Staff, in a written statement. “We are confident in their capabilities and proud to support our local partners in safeguarding critical systems.”

Ramsey County’s information systems were not affected by the digital security incident or the precautionary network shutdown, though the county took steps to discourage county workers from emailing city departments or otherwise interacting online with city offices.

“Out of an abundance of caution, we have taken steps to limit digital interactions while we continue to monitor the situation,” said Casper Hill, a county spokesman. “The county is actively coordinating with the city of St. Paul to ensure continuity in coordinated emergency communications and public safety response.”

The Ramsey County Emergency Communications Center, which handles 911 calls for St. Paul, were not affected by St. Paul’s digital security incident. St. Paul Police have asked for the public’s patience when it comes to non-emergency services such as making an online police report, obtaining a copy of a police report or having evidence returned.

St. Paul police usually look up information in law enforcement databases to check if someone they encounter has a warrant or is otherwise wanted by authorities, said Ramsey County Sheriff Bob Fletcher. The sheriff’s office warrant and criminal history office is closed overnight, but Fletcher said he’s been staffing it with one person during those hours, so officers can call to get real-time information during the network shutdown.

Between 2018 and December 2024, there were 525 individual ransomware attacks carried out against municipalities and other government organizations in the U.S., according to Comparitech, a computer security and online privacy research company. Those breaches exposed more than 5 million records, with numbers escalating each year, and 2.4 million records exposed in 2024 alone.

In December, a cyberattack led to a lengthy outage for the RI Bridges system, the state of Rhode Island’s online public benefits system, which connects residents to Medicaid, SNAP and other services. The personal information of more than 650,000 Rhode Islanders were stolen and at least some of that data was exposed on the Internet, from health information to social security numbers.

_______

(Mara Gottfried contributed to this report.)

_____

©2025 MediaNews Group, Inc. Visit at twincities.com. Distributed by Tribune Content Agency, LLC.