The City of Suffolk, Virginia has confirmed a data breach affecting 157,725 individuals following a February 2026 intrusion attributed to the Cloak ransomware group. Officials say attackers exfiltrated sensitive data, including names, Social Security numbers, and financial account information, before the ransomware payload could be deployed across the municipal network.

What Happened

According to Suffolk's official notice, malicious actors gained access to the city's network on or about February 24, 2026, and attempted to deploy ransomware to encrypt portions of the environment. The intrusion was detected and the threat actor's access terminated before encryption could occur, but not before sensitive data was stolen. Notification letters went out to victims last month, with the city publicly confirming the scope over the weekend.

The Cloak ransomware group has claimed responsibility on its data leak site, alleging it stole 2.5 TB of files from Suffolk's systems. Suffolk officials have not publicly acknowledged the Cloak attribution, and key details, such as initial access vector, ransom demand, and whether any payment was made, remain undisclosed.

What Was Taken

The breach exposed a high-value combination of personal and financial identifiers across more than 157,000 residents and affiliated individuals:

Cloak claims to have exfiltrated 2.5 TB of data, suggesting the haul likely extends well beyond the categories named in the consumer notice. The notification letters reportedly do not include any offer of complimentary credit monitoring or identity theft protection, leaving victims to manage their own remediation.

Why It Matters

This breach underscores the continued targeting of US municipal governments by ransomware operators, with local governments often lacking the security maturity, staffing, and budget of federal agencies or large enterprises. The Suffolk incident is the 11th-largest confirmed ransomware breach against a US government entity in 2026 by record count, and brings the year's total to 20 confirmed incidents tracked publicly.

The data combination of names, SSNs, and financial account details is the highest-risk profile for downstream identity fraud, synthetic identity creation, and account takeover. The lack of credit monitoring offered to victims further amplifies long-term exposure for affected residents.

The Attack Technique

Suffolk has not disclosed the initial access vector, and Cloak's tradecraft varies across confirmed engagements. The group, active since August 2023, operates a double-extortion model: data theft followed by an attempted encryption stage, with leverage applied through a public leak site when ransoms go unpaid.

Cloak has previously claimed attacks on the Virginia Attorney General's office (February 2025), Ponoka, Canada (February 2025), Gemeinde Kaisersbach in Germany (December 2024), and Sri Lanka's Department of Pensions (April 2025). The group has claimed 75 attacks total, with 20 confirmed by victims, indicating a moderate operational tempo focused on a mix of government and commercial targets. Suffolk is Cloak's second confirmed 2026 attack, following German retailer Dinnebier Gruppe in January.

What Organizations Should Do

Municipal IT and security teams, particularly those operating with constrained resources, should treat the Suffolk incident as a reference case and prioritize:

  1. Segment and isolate sensitive data stores. Resident PII, payroll, and financial systems should be on segmented networks with strict east-west controls to limit lateral movement and bulk exfiltration.
  2. Deploy egress monitoring and DLP. The Suffolk attackers exfiltrated data before encryption was attempted. Outbound volume anomaly detection and DLP policies on sensitive data classes can catch staging behavior before terabytes leave the network.
  3. Harden identity and remote access. Enforce phishing-resistant MFA on all VPN, RDP, and admin accounts, and audit for stale or over-privileged service accounts that ransomware affiliates routinely abuse.
  4. Test EDR detection and response speed. Suffolk's defenders reportedly stopped encryption mid-attack. That outcome is repeatable only with EDR tuned to detect ransomware precursors (shadow copy deletion, encryption process spawning, AD reconnaissance) and a SOC able to respond in minutes.
  5. Pre-stage breach notification and credit monitoring. Municipalities should have vendor relationships and budget pre-approved for victim notification and credit monitoring, so the response is not delayed or politically constrained after an incident.
  6. Track Cloak indicators. Threat intel teams should ingest current Cloak TTPs and infrastructure indicators, and proactively hunt for signs of staging activity in environments with similar profiles to past Cloak victims.

Sources: Suffolk, VA warns 157,000+ people of data breach that leaked SSNs, finances - Comparitech