Saint Paul, MN — Digital Security Incident Response Hub

A Municipal Ransomware Case Study: What Saint Paul's 2025 Incident Teaches Minnesota

Saint Paul's summer 2025 cyberattack disrupted City services for months. The incident is now a documented blueprint — for attackers and defenders alike.

43 GB data exfiltrated — Parks & Recreation dept.
90+ days to restore over 75% of City systems
$0 ransom paid — City refused attacker demands
5 federal and state agencies engaged in response

Active Threat Context — Minnesota Pattern Continues

Saint Paul is not an isolated incident. Spring Lake Park Schools (April 2026) and Delano Public Schools (May 2026) were both hit by ransomware within months of Saint Paul's recovery. K-12 districts — many sharing infrastructure with municipal governments — lead all entity types in MNIT's 2025 Cybersecurity Incident Report with 81 confirmed incidents.

No Ransom Paid — Full Transparency Maintained

Saint Paul's emergency management and IT leadership made the decision not to pay the ransom and to maintain full public transparency throughout recovery. Emergency services remained operational throughout the incident. The City's public communications serve as a model for municipal incident response.

Incident Summary

What Happened — and What It Cost Saint Paul

On July 25, 2025, Saint Paul detected unauthorized access across City systems. The attacker exfiltrated 43 GB of data from the Parks and Recreation department and encrypted systems across multiple city departments. Recovery took over three months and required partnerships with the FBI, Minnesota IT Services, the Minnesota National Guard, and private cybersecurity firms.

Jul 25
2025 — incident detected, systems taken offline to contain spread
5
agencies engaged: FBI, MN Dept. of Public Safety, MNIT, MN National Guard, private cybersecurity firms
43 GB
exfiltrated from Parks & Recreation — the most affected department
75%+
of City systems restored by October 22 — over 90 days post-detection
Recovery Timeline

Milestones: From Detection to Restoration

Saint Paul's recovery was methodical and publicly documented — a transparency model other municipalities should study. Each milestone reflects a department-by-department, system-by-system rebuild.

July 25, 2025

Incident Detected — Emergency Response Activated

Unauthorized access detected across City systems. IT teams took systems offline to contain the spread. Emergency services (911, police, fire) remained operational on isolated infrastructure. FBI engagement initiated.

Late July – Early August 2025

Containment & Partnership Engagement

Minnesota IT Services (MNIT), Minnesota Department of Public Safety, and the Minnesota National Guard Cyber Team joined response efforts. Private cybersecurity forensics firms engaged to assess scope and begin recovery planning.

August 10–13, 2025

Operation Secure Saint Paul — Password Reset Completed

City-wide credential reset operation completed across all active employee accounts. All staff required to create new passwords through a secure, out-of-band verification process before regaining system access.

September 17, 2025

PAULIE Permitting Platform Launched

Saint Paul launched the PAULIE digital permitting platform — a new system built on restored infrastructure. Permits and inspections moved to the new platform rather than restoring the compromised legacy system.

September 18, 2025

Public WiFi Restored at Libraries & Recreation Centers

Public internet access restored at Saint Paul Public Library branches and Parks & Recreation facilities — the first public-facing systems brought back online after the incident.

Late September 2025

Online Payments Restored — Garbage & Water Bills

Online payment systems for utility billing (garbage and water) restored. City issued public warnings about fraudulent invoices being sent to residents by bad actors during the outage period.

October 22, 2025

75%+ of City Systems Restored

Mayor's office confirmed over 75% of all City systems restored and operational. Recovery work on remaining systems continued into late 2025 under ongoing monitoring with state and federal partners.

Impact Analysis

What the Incident Cost — Beyond the Ransom

Saint Paul paid no ransom — but "free" is the wrong word. The real cost was measured in months of operational disruption, staff time, contract resources, and irreversible data exposure affecting residents.

● Data Exposure

43 GB Exfiltrated from Parks & Rec

Forty-three gigabytes of Parks and Recreation department data was confirmed stolen before systems were taken offline. Data likely included employee records, program participant data, and operational files. Exposure scope for affected residents has not been fully disclosed.

● Service Disruption

90+ Days of Degraded City Services

Residents and businesses experienced disrupted permitting, billing, and digital services for over three months. Staff reverted to paper-based processes. Departments that relied on shared city infrastructure were broadly affected regardless of whether they were directly targeted.

● Secondary Risk

Fraudulent Invoice Campaign

Threat actors exploited the publicly known outage window to send fraudulent invoices to Saint Paul residents. The City had to issue public warnings about fake bills — adding a social engineering layer on top of the ransomware incident itself.

● Resource Commitment

5-Agency Response & Private Contractors

Recovery required simultaneous engagement of the FBI, Minnesota Dept. of Public Safety, MNIT, the National Guard Cyber Team, and private cybersecurity firms — a resource expenditure that smaller municipalities could not sustain independently.

● Effective Response

Emergency Services Never Disrupted

911, police, and fire department operations remained fully operational throughout the incident — a critical success. Isolation of emergency infrastructure from general city systems proved to be an effective architectural decision.

● Transparency Model

Public Communication Hub Maintained

Saint Paul maintained a live, public-facing Digital Security Incident Info Hub throughout the recovery — providing milestone updates, payment guidance, and FAQ responses. This transparency model reduced misinformation and built resident trust during a difficult period.

Prevention Analysis

Where Browser-Layer Security Would Have Changed the Outcome

Ransomware doesn't materialize from thin air. It enters through a vector — and in the vast majority of municipal incidents, that vector is the browser: a phishing page, a credential harvesting site, or a malicious download. Here is where isolation would have intervened.

🔒

Credential Theft Prevention

Browser isolation renders suspicious sites in a remote cloud container. Keystrokes typed into a phishing page never reach the attacker's server — they interact with a pixel stream, not a live page. If Saint Paul's initial access was credential-based (consistent with 58% of MN incidents), isolation stops the attack at step one.

MNIT 2025 CIR: Compromised credentials = 58% of all incidents
🛡

Malware Delivery Blocked at the Browser

Ransomware payloads are commonly delivered via drive-by downloads, malicious email links, or weaponized documents opened in browser tabs. A cloud enterprise browser executes all web content in an isolated container — malware cannot escape to the endpoint, and the container is discarded after each session.

Attack pattern: web-delivered payload execution
📊

Data Loss Prevention Before Exfiltration

43 GB left the Parks & Recreation network. Browser-layer DLP controls monitor and block file uploads, copy/paste of sensitive data, and form submissions — regardless of which application the user is in. Exfiltration through web-based channels would have been blocked or flagged in real time.

Confirmed: 43 GB exfiltrated from Parks & Rec dept.
📈

Session Isolation Limits Lateral Movement

One of ransomware's most damaging phases is lateral movement — spreading from an initial foothold to other systems on the network. If the compromised session runs in a cloud-isolated container, the attacker's access is bounded by that session's permissions and cannot pivot to adjacent systems through the browser.

Saint Paul: multiple departments affected by single incident
🏛

Whole-of-State Deployment — No Infrastructure Needed

Cloud enterprise browsers require no on-premises appliances. Under MNIT's Whole-of-State program, every municipality in Minnesota — including those without a dedicated IT department — could be protected through a browser-based policy. Saint Paul's recovery required 5 agencies; prevention could come through 1 platform.

MNIT: 3,300+ eligible Whole-of-State entities
🤖

AI-Generated Phishing — Zero Signature Required

If Saint Paul's initial vector was a phishing email (consistent with attack patterns), modern AI-generated phishing pages evade all signature-based filters. Browser isolation is signature-agnostic — it doesn't need to recognize a threat to contain it. Every unknown page is isolated by default.

MNIT 2025 CIR: adversarial AI explicitly flagged as escalating threat
"Emergency services remained operational throughout the incident. We did not pay a ransom. Our priority was restoring services as quickly as possible while keeping Saint Paul residents informed at every step."
— Saint Paul Emergency Management, Digital Security Incident Info Hub, 2025
What Comes Next

From Response to Resilience — The Security Improvements Saint Paul Implemented

Saint Paul's public documentation acknowledges that the incident drove meaningful security improvements. These reflect the same capabilities a cloud enterprise browser operationalizes — at the browser layer, before incidents begin.

● Implemented

City-Wide Credential Reset

Operation Secure Saint Paul completed a full credential rotation across all staff accounts using an out-of-band verification process. Browser-layer isolation would prevent this from ever being necessary by stopping harvesting at the point of entry.

● Implemented

System Segmentation — Emergency Services Isolated

Emergency services infrastructure was already isolated enough to remain operational. Post-incident work extended this segmentation model to additional departments — a key resilience principle aligned with Zero Trust architecture.

● Implemented

New Platform Architecture (PAULIE)

Rather than restoring the compromised permitting system, Saint Paul built PAULIE — a new platform on clean infrastructure. This architectural reset reflects a Zero Trust principle: don't restore trust, re-establish it from a clean state.

● Still Needed

Browser-Layer Threat Prevention

Saint Paul's security improvements address recovery and segmentation — but do not publicly document a browser isolation or secure web gateway capability. The attack vector remains open. Without browser-layer protection, the next incident starts from the same entry point.

● Still Needed

Proactive DLP for Web Channels

43 GB was exfiltrated before containment. Data loss prevention at the browser layer — blocking uploads, monitoring form submissions, controlling copy/paste — would have reduced or eliminated exfiltration volume during the attack window.

● Still Needed

AI-Aware Phishing Defense

Saint Paul's FAQ acknowledges the incident involved social engineering techniques. MNIT's 2025 CIR explicitly flags adversarial AI as an escalating threat. Browser isolation is the only defense mechanism that is inherently signature-agnostic — effective against AI-generated threats by design.

Frequently Asked Questions

Saint Paul Incident — Key Questions Answered

Based on Saint Paul's public Digital Security Incident Info Hub, the following questions represent the most common resident and stakeholder concerns during the incident.

Saint Paul experienced a ransomware attack — a type of cyberattack where malicious software encrypts City systems and the attackers demand payment to restore access. Saint Paul refused to pay the ransom and worked with state and federal partners to restore systems independently.
Approximately 43 GB of data was exfiltrated from the Parks and Recreation department. If you participated in Parks & Recreation programs, your information may have been in that data set. Saint Paul committed to notifying affected individuals directly as the forensic analysis was completed. For other departments, the City confirmed no broader resident data exfiltration was identified.
No. Emergency services — including 911 dispatch, police, and fire — remained fully operational throughout the incident. These systems were isolated from the affected city infrastructure and were not compromised.
Saint Paul has not publicly disclosed the specific initial access vector pending the FBI investigation. Based on MNIT's statewide 2025 Cybersecurity Incident Report, compromised credentials are the most common entry point for ransomware attacks against Minnesota government entities — accounting for 58% of all reported incidents. Social engineering and phishing are the primary methods used to steal those credentials.
Possibly not. During the outage, bad actors sent fraudulent invoices to Saint Paul residents and businesses, knowing the City's normal billing systems were offline. If you received a bill during the outage period and are uncertain of its legitimacy, contact the relevant City department directly using the phone numbers listed in the official contact section — do not pay based on an invoice you cannot verify through official channels.
Ransomware recovery is not a single operation — it requires forensic investigation to determine the full scope of compromise, rebuilding systems from verified clean backups or new infrastructure, security hardening before systems go back online, credential rotation across all staff, and coordination across dozens of departments with different systems. Rushing recovery without verification risks reintroducing the attacker into restored systems.
Publicly documented improvements include: a city-wide credential reset (Operation Secure Saint Paul), extended system segmentation, the launch of new platform infrastructure (PAULIE permitting system), and enhanced monitoring in partnership with MNIT. The full security improvement program has not been publicly detailed — consistent with best practices of not disclosing defensive architecture to potential future attackers.
It is not unique. MNIT's 2025 Cybersecurity Incident Report documented 269 reportable incidents across Minnesota government entities in the 12 months following December 2024. K-12 school districts lead all categories with 81 incidents. Spring Lake Park Schools (April 2026) and Delano Public Schools (May 2026) both experienced ransomware within months of Saint Paul's recovery — demonstrating the attack pattern is active and continuing.
Be skeptical of any email or phone call claiming to be from the City during a known outage period. Verify invoices by calling official City department numbers directly. Do not click links in unsolicited emails purporting to be from City departments. If you use public WiFi at City libraries or rec centers, avoid accessing sensitive accounts until the network is confirmed fully restored and secured.
Contact Information

Saint Paul City Departments — Official Contacts

For questions related to the cybersecurity incident, bill verification, or service restoration status, contact the relevant department directly using the numbers below. For emergencies, always call 911.

Emergency Services

Police, Fire, Medical

911

City General Information

Saint Paul City Hall

15 Kellogg Blvd. West, Saint Paul, MN

651-266-8989

Water Bill Inquiries

Regional Water Services

651-266-8989

Garbage & Recycling Billing

Public Works Department

651-266-8989

Parks & Recreation

For data exposure inquiries

651-266-8989

Permitting (PAULIE)

New platform — launched Sept 17, 2025

stpaul.gov/permits

Saint Paul's Incident Is a Documented Roadmap — for Defenders and Attackers

The attack vector, the timeline, the exfiltration volume, and the recovery cost are all public. Minnesota municipalities that haven't closed the browser-layer gap are operating on borrowed time. The question is whether the next incident is a case study or a prevention story.

View MNIT Gap Analysis → Saint Paul Official Hub ↗