St. Paul employee data could be at risk in cyberattack

St. Paul residents’ data is not likely at risk in the cyberattack on the city, Mayor Melvin Carter said Thursday, but city workers’ information could still be exposed.

Many of the capital city’s internet and information systems remained shut down as St. Paul worked to isolate a cyberattack detected July 25.

“The city maintains very little data” on residents, Carter said during a Thursday news conference. “The city doesn’t have Social Security numbers on random residents. The city doesn’t maintain that type of sensitive information on community members who don’t have some fiscal relationship with the city.”

As city information security staff, a National Guard unit, the FBI and two private firms work to isolate the problem, Carter said the city is still trying to determine if city workers’ data is at risk.

The possibility that employee data could be exposed is part of why Carter said the city announced the attack on Tuesday.

After city information security staff determined that the unusual network activity detected July 25 was a cyberattack, Carter said, St. Paul was trying to not let the attackers know the city knew they had accessed city networks, Carter said.

But Carter said when he learned employee data was at risk, he decided to alert the public.

St. Paul does not yet know when all city networks will be back online, Carter said, but pieces of infrastructure are back up.

The 911 system was never down, and Police Chief Axel Henry said police were finding analog ways to work without systems like the computers in their cruisers. Carter said Thursday that some police computer systems would be running again soon.

Some city phone numbers are functioning again, Carter said. Because most city phone numbers are voice-over-internet lines, the internet outage meant many parts of the city phone exchange did not work. The city prioritized the restoration of high-traffic lines, such as phone numbers for building permits and the Department of Safety and Inspections.

Recovery could be a long and costly process. Some attacks can cost cities millions, according to the National League of Cities, for recovery services. Lawsuits over data exposure can add millions to the tab.