In a grim update on a recent ransomware incident, St. Paul Mayor Melvin Carter confirmed that hackers who attacked the city last month have leaked sensitive data online. During a news conference on August 11, 2025, Carter outlined the ongoing ramifications of the cyberattack that hit the city's Parks and Recreation department.
The released data consists of approximately 43 gigabytes, primarily culled from a computer network drive utilized by the department. "Some of the files included images of employee identification cards submitted to human resources, work documents, or even personal items like recipes," said Carter, emphasizing the varied and disorganized nature of the contents.
"Some of the files included images of employee identification cards submitted to human resources, work documents, or even personal items like recipes,"
Despite the scale of the breach, it remains uncertain whether the hackers accessed other critical data sources within the city’s systems. Carter expressed concern, stating, "While the scope of what they published against us is far smaller than what they’ve accomplished elsewhere, the fact remains: Someone was inside our systems. Once that happens, there’s no way to guarantee that they could not have access to more."
Initially, city officials maintained that there was no evidence of stolen data. However, the online publication of files raises serious questions about the hackers' intentions. "We didn’t believe the hackers had any data of serious value because they didn’t attempt to sell it and instead posted it for free online," Carter noted, reflecting on the unexpected turn of events.
"We didn’t believe the hackers had any data of serious value because they didn’t attempt to sell it and instead posted it for free online,"
In response to the breach, Governor Tim Walz activated the Minnesota National Guard to deploy cybersecurity specialists to assist the city, while the FBI launched an investigation into the cyberattack. "Both advised against paying a ransom," Carter stated, underlining the city's strategy in confronting this cyber crisis. Meanwhile, cybersecurity professionals and technology staff are meticulously examining the city’s networks to locate any remaining vulnerabilities.
"Both advised against paying a ransom,"
By the Numbers
By the Numbers
By the Numbers
Carter assured residents that personal information—such as names, addresses, and phone numbers—had not been compromised. "Bill payment information, like credit card numbers, is generally handled by cloud-based applications and should not have been affected by the hack," he explained, attempting to ease public concerns.
By the Numbers
"Bill payment information, like credit card numbers, is generally handled by cloud-based applications and should not have been affected by the hack,"
Looking Ahead
The hackers employed a ransomware variant named "Interlock" in their attack. Mayor Carter shared that the assailants are linked to a sophisticated, profit-driven organization known for targeting large corporations, hospitals, and governmental entities. A warning regarding Interlock risks was issued by the Cybersecurity and Infrastructure Security Agency just weeks before the attack. Yet, the hackers' location and future intentions remain unclear, raising more alarm among city officials.
"Interlock"
Impact and Legacy
In light of the attack, St. Paul initiated a shutdown of its computer systems on July 25 as a preventative measure against further damage. This shutdown disrupted numerous city services, with lingering effects still felt weeks later. "Many services remain offline, including the St. Paul Regional Water Services’ online payment portal," Carter noted, outlining the extensive impact on city operations.
Moreover, the city's human resources departments had to resort to manual processes to ensure payroll was met on time. "Each employee got paid on time on Aug. 8," Carter remarked, illustrating the extraordinary efforts made despite the obstacles posed by the attack.
As part of the recovery process, St. Paul initiated a systematic effort to reset employee login credentials. Thousands of employees were called in for in-person password changes and equipment examinations, with some 3,500 personnel scheduled for new login information by the end of the week. "This operation runs until 10 p.m. each night," said Carter, underscoring the commitment to securing city operations.
As of late Monday, over 2,000 employees had participated in the reset process at the RiverCentre in downtown St. Paul. The city's swift and coordinated response reflects an ongoing commitment to regaining control over its cyber infrastructure and protecting sensitive information.
The future remains uncertain for St. Paul in facing potential further attacks. Continued vigilance and rapid responses will be pivotal as the city navigates the challenging landscape of cybersecurity threats. The incident serves as a stark reminder of the importance of cybersecurity and the need for stronger protections against evolving criminal tactics.
