Cyberattacks like the one in St. Paul cost U.S. cities millions of dollars

A state of emergency continues Wednesday in St. Paul after officials shut down the city’s digital infrastructure and worked to the stop the spread of a cyberattack.

St. Paul officials noticed signs of the cyberattack on Friday and alerted the public on Tuesday. Wi-fi was out at St. Paul City Hall, libraries and recreation centers. The city’s 911 and other emergency response systems were still working, Mayor Melvin Carter said.

It is not yet clear why St. Paul was targeted, officials said, or what data might be at risk.

Here is information on how to access St. Paul services during the cyberattack.

St. Paul police and fire leaders on Wednesday evening sought to reassure residents that their key systems are still working and people who call 911 will get a response.

“To be crystal clear, there is absolutely no problem with our emergency response,” Police Chief Axel Henry said in a news conference.

While acknowledging that some people could have trouble accessing wireless internet or there could be some delays getting copies of reports, Henry said that officers are taught to find ways to work around technology outages.

“It is like having a telephone and saying you can’t text right now. Well, then, you’ll just call me,” Henry said.

Henry said that, as far as he knows, police body cameras, parking meters and ticket writers are still working.

Henry said officials are still trying to find a motive for the attack.

“We don’t know at this point what the goal was of infiltrating the city system,” he said.

- Liz Navratil and Eleanor Hildebrandt

At the Highland Park Community Center, signs on the door said the library internet was down and the public computers were unavailable.

“We are working on this,” the sign said. “We apologize for any inconvenience.”

- Eleanor Hildebrandt

A state law that went into effect in December 2024 requires public agencies and government contractors — including counties, cities, townships and school districts — to report cybersecurity incidents to Minnesota IT Services (MNIT), the state’s central IT organization.

Many state agencies were already required to disclose cybersecurity incidents, but there wasn’t previously a clear path for other public entities to do so, said the bill’s author, Sen. Melissa Wiklund, DFL-Bloomington.

The new reporting requirement is meant to enhance the state’s ability to detect, respond to and mitigate cyber threats in a more transparent, timely way. Agencies must report incidents within 72 hours of discovering them. The reporting form and a list of what types of incidents require it are listed on the Minnesota IT Services website.

“We may not hear about cyber incidents every day, but we do know that cybersecurity actors are trying every day to get through protection measures,” Wiklund said Wednesday.

Logging the details of past incidents can help identify patterns in who was targeted and how breaches occurred, Wiklund said.

Beginning in 2026, the law also requires an annual report about the incidents. That report will go to the governor and the legislative commission on cybersecurity and can inform decisions about where to dedicate more cybersecurity resources, Wiklund said.

- Mara Klecker

Nir Perry, founder of Cyberwrite, a New York-based company that helps insurance agencies quantify what municipalities might need to pay out during an attack, said a minor incident could cost thousands, while a larger scale attack could cost tens of millions. The range depends on whether a ransom is requested, whether data is breached, whether notification is required and how many people are needed to respond, among other factors.

“I think, in general, municipalities are most susceptible to cyberattacks because they are less technological and they have less budgets for technology,” Perry said.

Some other Minnesota agencies have faced litigation following separate cybersecurity incidents.

The University of Minnesota announced in 2023 that a hacker had “likely gained unauthorized access” to a database containing three decades’ worth of sensitive information pertaining to applicants, students and employees. The U said it suspected the data was accessed in 2021 and faced lawsuits from people who alleged, among other things, that the university hadn’t done enough to prevent the breach.

The U and the plaintiffs have reached a tentative $5 million settlement, according to documents filed in court earlier this month. People who received notice that their data had been breached could each receive roughly $30 payments and two years of dark web monitoring services. The deal also calls for the U to commit to improving security for the database that was compromised. The agreement is expected to come up for court approval later this year.

Dan Gustafson, lead attorney for the plaintiffs, said they welcome the settlement.

“Data was not generally exposed or made available on the dark web so there is not significant threat of identity theft,” Gustafson said in a text message. “So payment is for stress caused etc.”

- Liz Navratil

Gov. Tim Walz said Wednesday that St. Paul had a “fantastic” response to the cyberattack.

“The city of St. Paul did everything they could immediately, and was over the whole weekend working together,” Walz said.

Though Walz said he had not received any updates Wednesday, he said he understood the city was most concerned about the vulnerability of employees’ data.

Walz said 13 cybersecurity experts with the National Guard are working with St. Paul to assess the damage.

- Jeremy Olson

The Minnesota Star Tribune spoke with Brian Huilman, department chair at Minneapolis College’s School of Information Technology, to learn more about cyberattacks and how often they occur. The following interview has been edited for length and clarity.

Q: How often do cyberattacks happen? Are they increasing in frequency?

Organizations that have established security teams or a cybersecurity infrastructure likely have all the sufficient protections in place. They have firewalls at the network side. They have firewalls on the hosts. Intrusion detection and instruction prevention systems. They have sound security policies with regard to user passwords. They are backing up their data. They are patching their software and their operating systems all the time.

Q: The terms cyberattack and data breach get thrown around a lot. What differentiates one from the other? Or are they the same?

A: They’re different. A cyberattack is the process and act of breaching a computer system, or I guess technically you don’t have to be breaching it, but attack is actively trying to breach it. A data leak would be the result of a successful cyberattack. If they can penetrate the system’s defense, if they can actually break into a system, then they can get access to the data, extract it and share it.

Q: Part of the reason the St. Paul attack captured people’s attention is because the systems have been down for multiple days. How common is that?

A: That level of outage, I would say, is rare. It certainly happens. I believe, though, and all I can say is what I read in the press, is that this was an abundance of caution on the city’s part.

And believe me, there is a huge discussion that goes on in those situations because of the negative media attention, the damaging impact of the systems and services and everything else. But, they clearly thought this was the best approach to protecting things and being able to figure out and then mitigate what actually happened.

Q: What are the implications for government agencies when they’re targeted by a cyberattack? How might this affect their costs, insurance premiums, etc.?

A: It’s hard to quantify those things, because nobody actually knows what happened yet, and nobody knows the long-term effect.

Q: Do you have any sense for how often hackers are successful and what their motivations tend to be?

A: [It’s] very hard to quantify and qualify both. The success rate, I would say, is rather low. It’s like you throw out a survey and you’re happy if you get a 10-15% response. These guys are getting even less than [that]. They might probe hundreds of systems before they’re able to successfully get into something.

Q: What haven’t we asked about that you’d want people to know if they’re trying to put the St. Paul attack into context?

A: From all the things I’ve seen, there is nothing to panic about regarding the St. Paul event. I think it’s a call for education in letting everybody know that they have a responsibility for preventing this, using strong passwords and setting up multifactor authentication for systems they use, adhering to corporate policy with regard to security.

These things are in place for a reason…That’s not to say it was employee error that caused the St. Paul thing, but just raising the awareness [that] there are things that everybody can do help.

- Liz Navratil

Ward 1 Council Member Anika Bowie said shortly after noon on Wednesday that she has heard from St. Paul residents concerned about personal information being exposed in the cyberattack.

“We are sending these concerns to our cybersecurity team to examine,” she said.

- Josie Albertson-Grove

Many cities across the United States have cybersecurity insurance from their state’s League of Cities.

Melissa Williams, a spokesperson for the National League of Cities, said in a statement that cyberattacks on cities can “easily cost millions of dollars in expenses.”

“Depending on the severity of the attack, the effects may be felt for years after the initial incident,” she said.

“Recent cuts to federal cybersecurity spending increase the pressure on state and local governments to defend against an increasingly sophisticated threat,” Williams said.

- Eleanor Hildebrandt

St. Paul officials said Tuesday that they had not yet determined if residents’ personal data is at risk.

But Soumya Sen, a cybersecurity expert and associate professor at the University of Minnesota, said people can take some some cybersecurity precautions now. He suggested:

Moving forward, Sen said people need to be updating all their passwords annually and always using strong, unique passwords.

Sen did not suggest freezing accounts or credit at this time since it is not clear who has been impacted.

- Eleanor Hildebrandt

Minneapolis Public Schools suffered a cyberattack in 2023 that temporarily disabled some district technology and led to a data breach of personal information.

A ransomware group called Medusa claimed responsibility, without specifying motive, and demanded $1 million to delete the data.

Cyberattacks like the one that paralyzed the school district’s computer systems are becoming a growing threat to school districts, prompting a dramatic rise in cyber liability insurance premiums and a scramble to figure out what can be done to secure student and staff data.

Minneapolis isn’t the only metro-area school district feeling the pinch. St. Paul Public Schools officials saw their cyber premium go from $60,000 in 2021-22 to more than $119,000 in the 2022-23 school year. The Anoka Hennepin and Osseo school districts saw increases of more than 10%.

The Minneapolis district partnered with national specialists to do a “comprehensive review” of the computer systems involved to determine what sensitive information was accessed and identify those who were impacted.

In September 2023, school officials contacted people whose data had been accessed and offered free credit monitoring as well as services to address any “mental or emotional responses” to the breach.

The district also said then that it was reviewing district policies, adding system protections and offering additional training to staff to help prevent other cyber security incidents.

School districts face particular challenges that have made them more vulnerable, experts say — namely that they have thousands of school-issued devices used by children and teenagers. Moreover, widespread staffing shortages and budget crunches in recent years mean that school IT departments are often chronically overstretched.

St. Paul workers will receive a paycheck during the next pay period on Aug. 8, even as the city extends a state of emergency after a major cyberattack shut down many of the city’s online systems.

St. Paul officials noticed signs of the cyberattack on Friday and alerted the public on Tuesday. Wi-fi was out at St. Paul City Hall, libraries and recreation centers.

Mayor Melvin Carter declared a state of emergency Tuesday, allowing the city’s departments of Emergency Management and Office of Technology and Communications to mobilize support from local, state and federal officials.

“This was a deliberate, coordinated digital attack, carried out by a sophisticated external actor, intentionally and criminally targeting our city’s information infrastructure,” Carter said Tuesday.

- Tim Harlow