Foster City, California (a Bay Area municipality of approximately 34,000 residents) has declared a formal state of emergency following a ransomware attack that took down the city's entire network. The city council approved the emergency declaration during a special session held Monday night without online access, as the network remains fully offline. The attack has disrupted municipal operations across departments, forced the suspension of digital public services, and left residents largely uninformed about what systems and data were affected. No ransomware group has publicly claimed responsibility.

What Happened

The ransomware attack struck Foster City's network and was discovered on a Monday, prompting immediate shutdown of the city's infrastructure to contain the spread. The impact was broad enough that the city council's emergency meeting, called specifically to address the crisis, could not be conducted with Zoom or any online participation, as the network remained completely offline. The council voted to approve a state of emergency declaration, a formal legal status that unlocks emergency procurement authority, enables expedited contracting for incident response vendors, and may qualify the city for state and federal disaster recovery assistance.

The city has provided minimal public disclosure about the scope of the incident. A resident who attended the emergency council meeting, Yiming Luo, described the communication vacuum directly: "The city has kind of been keeping us in the dark. I mean, we don't know what got affected, what departments are affected, how it affects us." This opacity, while sometimes tactically defensible during active incident response, has left the public without clarity on whether their personal data held by the city has been compromised.

As of the time of this writing, the network remains down, no timeline for restoration has been publicly provided, and no threat actor has claimed the attack or published stolen data.

What Was Taken

No confirmed exfiltration has been disclosed by city officials. However, Foster City's municipal network would typically hold:

• Resident personally identifiable information: names, addresses, phone numbers, email addresses collected through utility accounts, permit applications, recreation programs, and city service registrations
• Financial records: utility billing data, payment card information from city service payments, business license records, tax-adjacent financial filings
• Law enforcement and public safety data: depending on network architecture, police records, incident reports, and personnel files may share infrastructure with administrative systems
• Employee records: HR data, payroll information, benefits enrollment, and credentials for all city staff
• Infrastructure and facilities data: building permits, engineering documents, utility grid configurations, public works records
• Legal and regulatory records: city contracts, litigation files, council communications

Given standard ransomware operator double-extortion methodology, the probability that data was exfiltrated prior to encryption is high; regardless of whether the city currently has evidence of it.

Why It Matters

Municipal government is the most consistently underfunded tier of critical infrastructure. Cities like Foster City operate lean IT departments responsible for the full spectrum of government services (utilities, permitting, law enforcement support, public records) with security budgets that are a fraction of what comparable private sector organizations spend. Ransomware operators know this. Small-to-mid-sized municipalities offer a predictable combination of valuable data, weak defenses, and strong political pressure to restore services quickly; all of which favor paying the ransom.

A state of emergency is not a routine administrative step. Municipalities declare states of emergency when the scope of disruption exceeds normal operational capacity. Foster City's declaration signals that the attack has materially impaired the city's ability to function; not merely inconvenienced IT staff. Every department relying on digital infrastructure is operating in degraded mode, which has direct public safety implications.

The communication failure compounds the harm. Residents reported being kept in the dark about which departments were affected and what personal data may have been compromised. This is both a trust failure and a practical harm; residents who don't know their data was exposed cannot take protective action against identity theft or fraud. HIPAA-equivalent clarity requirements don't apply to most municipal breaches, but the ethical and practical obligation to disclose is the same.

This is part of an accelerating pattern against local government. Ransomware attacks against U.S. municipalities have increased sharply over the past three years. Attackers have successfully extracted ransoms from cities including Atlanta, Baltimore, New Orleans, Riviera Beach (FL), and dozens of smaller municipalities. The playbook is well-established, the targets remain predictable, and local government security posture has not kept pace with the threat.

The Attack Technique

No initial access vector has been confirmed by Foster City. Investigation is active. For municipal government networks of this profile, the highest-probability attack paths include:

• Phishing targeting city employees: municipal staff are high-volume email recipients from the public, creating a wide and persistent phishing attack surface with typically limited security awareness training
• Exposed remote access services: RDP and VPN endpoints, often deployed without MFA during COVID-era remote work expansions and never subsequently hardened, remain the dominant ransomware entry point in local government environments
• Unpatched public-facing systems: budget constraints and change-control friction in municipal IT mean patch cycles frequently lag months behind vendor security releases
• Third-party vendor or managed service provider compromise: many small municipalities outsource IT management to regional MSPs; a single compromised MSP can provide simultaneous access to multiple city networks
• Credential reuse from prior breaches: city employee credentials appearing in public breach databases are routinely tested by ransomware operators using automated tooling

The complete network outage and emergency declaration timeline suggests the ransomware achieved broad lateral movement before detonating; consistent with an attacker who spent days or weeks in the network before deploying the encryption payload.

What Organizations Should Do

1. Implement MFA on every remote access entry point; no exceptions. RDP and VPN without MFA is an open door for ransomware operators. For municipal governments still running legacy remote access without multi-factor authentication, this is the single highest-impact security control available. Deploy it before anything else. Prioritize privileged and IT administrator accounts first, then extend to all staff.

2. Segment critical systems from general administrative networks. Public safety, utilities control, and financial systems should operate on isolated network segments with strict access controls; not on the same flat network as email and public-facing web services. Proper segmentation limits lateral movement and can contain an infection before it achieves the total network compromise Foster City experienced.

3. Test and validate your offline backup posture now. The defining question in any ransomware incident is whether clean, tested, offline backups exist and can be restored within an operationally acceptable timeframe. Backups that are network-connected, untested, or stale are effectively worthless. Municipal IT teams should confirm backup integrity and practice restoration procedures quarterly; not discover gaps during an active incident.

4. Develop a public communications protocol for cyber incidents before one occurs. Foster City's communication vacuum is not unusual; it is the default response when municipalities lack a pre-built incident communications plan. Draft holding statements, designate a public spokesperson, establish disclosure timelines, and define what resident-facing information will be released at each stage of an incident. Residents who are kept informed make better protective decisions and generate less political pressure on the recovery process.

5. Engage CISA's no-cost services proactively. The Cybersecurity and Infrastructure Security Agency offers free vulnerability scanning, penetration testing, and incident response planning resources specifically for state, local, tribal, and territorial (SLTT) governments. Municipal IT teams that have not engaged CISA's SLTT programs are leaving funded security resources on the table. Post-incident, Foster City should also engage CISA for technical assistance and lessons-learned documentation.

6. Pre-negotiate an incident response retainer. When ransomware hits, municipalities typically have zero pre-established relationships with forensic incident response firms; resulting in frantic emergency procurement at premium rates, often with inexperienced vendors. Establishing a retainer with a qualified IR firm in advance costs a fraction of the emergency rate, ensures faster response activation, and gives the city a trusted technical partner when leadership is under pressure to make consequential decisions quickly.

Sources

• CBS San Francisco; Foster City declares state of emergency following ransomware attack