When Government Systems Go Dark: Lessons from the St. Paul Cyberattack
In late July 2025, the City of St. Paul, Minnesota, experienced a deliberate and coordinated cyberattack that triggered a full shutdown of its IT systems to contain the breach. Officials first detected suspicious activity on Friday, July 25, and by Monday, they had shut down Wi‑Fi and network services across City Hall, libraries, recreation centers, and payment portals. The move was made to preserve system integrity and prevent data exposure.
Mayor Melvin Carter described the incident as a criminal action by a "sophisticated external actor," and declared a local state of emergency on July 29. The scope had outpaced the city's IT capacity, prompting the activation of Minnesota’s National Guard Cyber Protection Team, alongside assistance from the FBI and two national cybersecurity firms.
What Went Wrong — and Why It Matters
- Full scale shutdown as containment: The city lost access to nearly all non-essential services—libraries couldn’t provide Wi‑Fi, utility payments went offline, and internal applications were unavailable. Only critical emergency services like 911 remained operational.
- Outsized impact, limited visibility: Despite working legacy fallback systems like paper checkout and manual payroll, city operations slowed dramatically. Real-world disruption was unavoidable.
- Incident response exceeded internal capacity: The breach was larger and more complex than anticipated. Even commercial cybersecurity firms couldn’t fully contain it initially; thus, the National Guard stepped in to support recovery efforts.
Visualizing the Risk and Impact
Imagine your organization is a modern office building. One morning, smoke starts seeping through the vents—something’s burning behind the walls. You don’t know how far it’s spread or what systems are compromised, but you do know this: the safest move is to evacuate everyone and shut off power to stop the fire from spreading.
That’s exactly what St. Paul had to do—digitally. When signs of compromise appeared, the city “evacuated” its digital systems by taking them offline. It wasn’t just about fixing the problem; it was about protecting what remained.
Just like in a fire drill, having a plan makes the difference between calm control and chaos. Without a plan, even a small incident can spiral out of control, causing recovery efforts to be unnecessarily cumbersome and responses panicked, ill advised, and expensive.
St. Paul’s experience mirrors past incidents like the 2018 Atlanta ransomware attack, where core municipal services went offline and staff had to process court filings and payments manually, costing millions to recover. Or the 2019 Baltimore ransomware event, where most government systems were encrypted and disabled for weeks, with recovery efforts costing upward of $18 million.
Preparedness Is Not Optional
A recent annual threat report outlined that due to improvements in AI, resulting in a rapid rise in AI cyberattacks, threat instances against SMB’s has increased from 48,749 in June 2024 to over 13.3 million in June 2025.
Coupled with the fact that attacks against large U.S. cities are now escalating at a 65% year-over-year rate, the logic is clear: it’s not a question of if, but when your organization could face a similar scenario.
Modern threat actors know municipalities and institutions hold sensitive data and offer high leverage. Their tactics now include AI cyber-attacks, or malware as a service, often involving encrypting data or copying it for extortion—forcing tradeoffs between paying ransoms and risking prolonged operational downtime.
Without a tested incident response plan, your organization may find itself relying on reactive measures rather than following a clear, practiced routine—resulting in delays, confusion, and greater risk.
Actionable Strategies for Resilience
There are steps every organization should consider before crisis strikes:
- Perform a risk assessment of your infrastructure against a risk matrix. Assess the impact of a loss of confidentiality, integrity, and availability.
- Clarify chain of command and communication plans, internally and with external agencies.
- Run tabletop exercises simulating cyber incident scenarios.
- Define recovery time objectives (RTOs/RPOs) and plan staffing coverage during IT outages
- Review and update disaster recovery plans, including backup systems and legacy fallback workflows for effectiveness.
- Ensure multi-layer defences—end‑point protection, network segmentation, identity access controls, and vendor conduct requirements.
Preparing for Downtime in a Live Example
In the case of St. Paul, libraries resorted to manually writing down barcode numbers to check out books—a solution that worked but was inefficient and slow. Police officers temporarily communicated via radio rather than computers. Payroll ran on legacy manual templates.
While inefficient, at least they were available, if your organization lacks, at the very least, similar fallback options—critical business systems and processes could stay down for days or even weeks.
✅ Is Your Organization Ready?
Don’t wait until an incident makes preparedness a crisis. Movaci’s vCIO team offers a Business Continuity & Incident Response Readiness Session. Schedule a session today to gain executive insight into your readiness, identify potential gaps, and craft a practical action plan.
Final Thought
The St. Paul cyberattack reminds us that government agencies—and any organization reliant on digital infrastructure—are increasingly vulnerable to determined, coordinated threats.
By preparing proactively, investing in planning and testing, and partnering with experts, you can avoid being forced into the digital equivalent of shutting down your doors in an emergency.
🔹 Ready to take the next step?
Schedule a Business Continuity & Incident Response Readiness Session
with Movaci’s vCIO team and strengthen your posture before it’s too late.
Schedule a Business Continuity & Incident Response Readiness Session with Movaci’s vCIO team and strengthen your posture before it’s too late.
Resources: