City of St. Joseph hit by cyberattack, data potentially acquired in breach

ST. JOSEPH, Mo. (News-Press NOW) -- Multiple sources and documents obtained via public records requests indicate the city suffered a significant cyberattack in early June, an incident that crippled network services for an extended period of time and potentially exposed the personal data of thousands of residents, city officials confirmed Monday.

The City of St. Joseph has been forced to spend more than $1 million on extensive upgrades to its cybersecurity and technology infrastructure since it first acknowledged via Facebook on Monday, June 9, that some of its services were down or temporarily unavailable due to "network issues," saying later on June 26 it was investigating network security issues and no threat was posed to the public.

The city is now shedding additional light on the extent of the incident, saying in a press release Monday that while no evidence suggests any information has been misused, it is possible that some data, including records from the St. Joseph police and health departments, could have been acquired by an unauthorized third party.

"The investigation into this incident determined that certain files may have been acquired without authorization. After extensive electronic discovery, which concluded on Sept. 4, it was determined that some personal information may have been present in the impacted data set," the city said. "In the next 14 days, some residents will begin receiving letters regarding an incident that may have exposed personal information."

The letters will be sent to approximately 11,000 people and will include resources that can be used to protect information and instructions for enrolling in complimentary credit monitoring and identity theft protection services, free of charge.

"These services will alert those who enroll when changes occur to their credit file. Impacted residents also will receive proactive assistance to help with any questions they might have or in the event of becoming a victim of fraud," the city said. "The City of St. Joseph is fully committed to the protection of citizen and employee information, system security and data privacy, particularly in a time when cybersecurity incidents have become all too common."

Multiple current and former city employees, including one who agreed to speak on the condition of anonymity, confirmed to News-Press NOW that the incident was the result of a data breach that brought many technology and communication services to a near standstill for days.

"The first thing I noticed when I came in that Monday was our phones didn't work. And then it was we couldn't get into anything. Absolutely nothing," a prominent former staffer at City Hall said. "I just kept saying, 'What is this? What's the problem? What's going on?' Then they say we were hacked."

The cyberattack, described to her as a data breach by the city's IT staff on multiple occasions, was significant enough that it prevented her and staff from accessing network programs, files and records critical for daily business, including the city's email server.

The staffer, who worked in a large department that handled customer payments and coordinated heavily with businesses, described a chaotic environment as major processes were essentially shut down, with overwhelmed staffers struggling to complete routine tasks for much of the week, which typically included coordination with public safety departments.

“We couldn't get into any files, Fire (Department), too. I worked closely with the fire inspectors, all that stuff, how were we supposed to operate?" she said. "It was mass chaos. There should have been some type of public announcement that, ‘We are struggling here.’”

The city said it first detected the network issue around 2:30 a.m. on June 9 and quickly relayed it to the information technology team at 4 p.m. The city's network was immediately shut down at all locations as a precaution and the IT team was conducting its inquiry by 6 a.m.

"Upon detecting this incident, the city moved quickly to initiate a response, which included conducting an investigation with the assistance of outside IT specialists and confirming the security of the network environment. Law enforcement was notified. The city wiped and rebuilt affected systems and has taken steps to bolster its network security. continuing work that already was underway at the time of this disruption," the city press release read.

While unconfirmed by department officials, the incident reportedly had a notable impact on file access and communications for the police and fire departments. Despite that, city said dispatching of police, fire and emergency medical services continued uninterrupted despite the incident thanks to longstanding protocols and contingency planning.

Enacted in 2009, Missouri’s data breach notification law requires entities that own or license personal information of Missouri residents to provide notice to affected consumers if there has been a breach of security following discovery or notification of the breach. Notice must be made without unreasonable delay after discovery of the breach. 

Notification is not required if, after "appropriate investigation or consultation with relevant government agencies, the entity determines there is no reasonable likelihood of identity theft or fraud."

The former city staffer was told by a colleague in the city's IT department and a direct witness that ransomware was involved in the cyberattack.

"He sent me a picture of every time he tried to open up a file of the ransom, this ransom note. I know that it was some type of ransom hack," she said.

Multiple Sunshine Law requests for a list of insurance claims, data breach documents and emails over a three-month period on the matter initially resulted in a small handful of communications being provided to News-Press NOW, citing privileged and protected correspondence.

"Disclosure of any additional email correspondence would impair the City’s ability to protect the security or safety of persons or real property, and that the public interest in nondisclosure outweighs the public interest in disclosure of additional email correspondence," a city spokesperson said in an email to News-Press NOW in August.  

One email obtained in the request shows a personal Gmail account -- with the name of a prominent city human resources official -- was used June 9 to communicate with insurance company CBIZ Insurance Services about the city's cybersecurity policy coverage, as well as a risk assessment for its network on the same day the data breach occurred.

Use of personal emails for government business is typically discouraged, unless necessary in cases of emergency. The email suggests that the city's email server was inaccessible for staff across multiple departments.

It's unclear exactly how many departments were impacted by the incident, if data or personal information was collected and if so, to what extent.

The aforementioned cybersecurity policy shows the city had a cybersecurity risk assessment performed on its network defenses in December 2024, assessing the potential for direct exposures for ransomware, malware and other dangerous misconfigurations.

No infections or exposures were ultimately found at the time, including deep scans for initial access of malware, ransomware and detecting if any credentials had been offered for sale.

The city also added several endorsements to its policy at that time to expand its initial cybersecurity coverage. The risk assessment was carried out by Tokio Marine HCC, a cybersecurity insurance company.

City spends more than $1 million to improve infrastructure as a result

City councilmembers have authorized a number of costly investments to improve its cybersecurity, technology and software following the incident, in some cases to improve aging and outdated platforms.

"The City has many platforms that are aging and now require upgrades to ensure they remain reliable, efficient, and aligned with current standards," a document explaining one ordinance for technology purchases reads.

On Aug. 4, councilmembers approved an ordinance to provide funding in an amount not to exceed $997,659 for investments in the city's technology services to address infrastructure modernization. Investments included new servers, firewalls, networking equipment, data storage solutions and improved backup processes.

Funds were allocated from the General Fund/Computer Network according to the ordinance.

The ordinance also granted City Manager Mike Schumacher the ability to expedite purchase orders and agreements associated with said expenditures, including those that would typically require separate Council approval under the City’s bidding thresholds.

On Aug. 18, councilmembers approved a $63,089 proposal to purchase three years of security licensing to consolidate the city’s cybersecurity infrastructure. The license included threat protection, secure firewall and email, endpoint security, DNS-layer defense and multifactor authentication.

“The City of St. Joseph does carry cybersecurity insurance, and services it provides were utilized during this network disruption. At the next City Council meeting on Monday, Sept. 29, an ordinance to authorize a $50,000 insurance deductible payment will have a first reading," the city press release said.

Disruptions linger following breach

The staffer said after the first day passed on June 9 with little to no clarity on the situation, a hotspot device was brought in the following day, providing enough service for just one employee while the rest of the department struggled to complete tasks, often working off memory or from older records, with new information and data being inaccessible.

"I was going around the world to make something work, reinventing the wheel," she said. “I was there way more than I should, working late hours trying to keep the city afloat, trying to keep business going."

She said the city was unable to provide additional hotspots as multiple employees -- including herself-- resorted to using personal cellphones and laptops to view or conduct official city business, something she was later instructed not to do after several days.

With a lack of clarity about possible risks or exposures from the incident, she was highly uncomfortable with the department continuing transactions with customer credit cards.

"If we were hacked and they were using a hotspot and still having customers come in and pay for things with credit cards. If they still had access to all of our files, how is that safe?" she said. "I would not do anything unless it was cash payment."

The city's press release noted that certain departments were able to continue conducting business, including accepting and making payments, by developing workarounds within hours of the network disruption. 

"City staff focused immediately on keeping essential services running."

Despite some emails starting to trickle in by the end of the initial week, work was largely impossible as a majority of processes weren't available again until several weeks later.

Months later, and some processes remain interrupted, including daily dissemination of arrests, thefts and vandalism reports to media outlets from the St. Joseph Police Department, information of high public interest.

The last official reports to News-Press NOW were sent on June 8, a day before the alleged cyberattack occurred.

Despite being passionate and was well compensated for her job, she quite long after due to the incident and previous challenges that brought considerable stress to the job.

"I loved my work. I loved what I did," she said, "It's sad that I have to go, because there's no way I could take much more."