43GB of St. Paul Government Data Now Public, Recovery Continues

Weeks after a crippling ransomware attack hit St. Paul, Minnesota, new details have emerged about the scope of the incident, with threats still looming. The Interlock ransomware group claimed responsibility for the July 25 breach and has now published 43GB of material allegedly taken from the city’s private servers, including thousands of HR files, financial records, and identification documents. The leak marks a major escalation in the weeks-long incident, which has already paralyzed key municipal services.

In the meantime, Operation Secure St. Paul is in full swing.

The Minnesota National Guard’s cyber protection unit, in conjunction with the FBI and private cybersecurity experts, is working alongside city IT staff to reset employee passwords and institute upgraded security measures before phasing systems back online.

Public services remain limited, and residents are being warned about phishing scams exploiting the ongoing disruption.

Why It Matters: The latest developments confirm that the St. Paul ransomware incident is now a confirmed data breach with potentially long-lasting privacy implications for employees and possibly residents. The release of highly sensitive documents also increases the risk of targeted fraud and identity theft, underscoring the urgency of immediate containment and long-term cybersecurity reinforcement.

• Leak Confirmed and Published: Cybersecurity news outlet Hackread.com has verified that the Interlock ransomware group is hosting a cache of what it claims to be 43 gigabytes of stolen St. Paul city data on its dark web leak site. The files are divided into two large folders, one reportedly containing over 40GB of user-related data and the other holding additional administrative records. According to preliminary analysis, the collection includes more than 3,000 human resources documents, thousands of pieces of internal correspondence, and at least 280 files containing sensitive personal identification like passport scans and driver’s licenses. While the authenticity of each document has yet to be confirmed by city officials, the volume and variety of the materials could give malicious actors a detailed picture of the city’s internal workings and personnel.

• Hackers Accuse City of Negligence: In a statement posted alongside their alleged evidence, the Interlock ransomware operators accused the City of St. Paul of exhibiting “careless and irresponsible” security practices, claiming that weak protections allowed them to infiltrate networks and exfiltrate large amounts of data. They allege that this negligence also places residents’ personal information at risk of exposure and misuse. Officials in St. Paul have not validated these accusations and have reiterated that the matter is under active FBI investigation, limiting what can be disclosed publicly.

• Expanded Recovery Measures: City leaders have initiated extensive security upgrades as part of Operation Secure St. Paul, beginning with a complete password reset for all roughly 3,500 city employees. This measure is designed to invalidate any stolen login credentials that may still be in circulation. Technicians are also installing upgraded endpoint protection and intrusion detection systems on every municipal device. The process is being carried out systematically, with systems only being reinstated once they have been thoroughly assessed and cleared of any malicious code. Officials emphasize that the approach prioritizes security over speed, which means full service restoration will take time.

• National Guard Continues Deployment: The Minnesota National Guard’s cyber unit remains embedded in city operations. Working side-by-side with state, federal, and private security consultants, Guard members are mapping the true scope of the intrusion and securing vulnerable network segments. This allows St. Paul to draw on military-grade digital defense capabilities and get proper long-term infrastructure advisement to prevent similar breaches in the future.

• Rising Resident Threats: Officials are reporting an uptick in phishing emails and fraudulent invoices targeting residents and local businesses by mimicking city correspondence. The city is advising the public to verify all communications and avoid clicking suspicious links or attachments.

Go Deeper -> Interlock Ransomware Group Leaks 43GB of Data in City of St. Paul Cyberattack – Hackread.com

Ransomware gang claims attack on St. Paul city government – The Record