OnSolve CodeRED System Hit by Cyber-Attack, Disrupting Emergency Alerts

A significant cybersecurity incident has compromised the OnSolve CodeRED platform, a vital system relied upon by numerous state and local government bodies for distributing emergency alerts. The attack has not only interrupted critical public safety notifications but has also resulted in the confirmed theft of user data. In response, the provider, Crisis24, was compelled to deactivate the compromised legacy environment and undertake a complete rebuild of the system within a new, secure infrastructure.

This breach specifically targeted the older platform responsible for sending out alerts concerning severe weather, public safety dangers, and other urgent community information. Crisis24 has confirmed that the security violation was confined to the CodeRED environment. Although their investigation verified that data was exfiltrated, the company has stated it has found no proof that this information has been published on the internet thus far.

The stolen data encompasses several types of personal information, including:

• Full names, physical addresses, and email addresses
• Telephone numbers
• Passwords associated with individual CodeRED user profiles

Multiple municipal authorities have clarified that the platform does not gather or store any financial details from residents. The City of University Park, Texas, illustrated the prevailing concern in a recent emergency communication, stating, “CodeRED has informed us that while there are indications that data was taken from the system, at this time, there is no evidence that this information has been posted online. However, we want to let residents know that it could be leaked in the future.”

Responsibility for the cyber-attack has been publicly claimed by the INC Ransom group. In a post on the dark web, the group alleged it initially gained access to OnSolve’s systems on November 1st and proceeded to encrypt files on November 10th after negotiations for a ransom payment collapsed. The hackers released screenshots that seem to display customer information, including passwords stored in clear text, and have announced they are selling the stolen data files.

The fallout has prompted local governments across fifteen states to issue advisories to their communities. Some agencies are now seeking to terminate their contracts with CodeRED, while others are transitioning to the newly established version constructed in a clean, isolated environment. A complication has arisen because the restored system depends on backup data from March 31, 2025, leading to the absence of some user accounts created after that date.

Municipalities have been quick to reassure residents that their own internal government networks and systems remained unaffected by this breach. Despite this, they are strongly advising all individuals to change their passwords immediately, particularly if the same password was used for other online services. Staff in various cities are reportedly collaborating with Crisis24 to migrate to the new platform, which has undergone a comprehensive security audit and external penetration testing to ensure its integrity.

Crisis24 has officially declared that the legacy platform is now permanently decommissioned. The company is focusing its efforts on rebuilding the CodeRED service from the ground up to prevent future incidents. In a troubling development, the INC Ransom group has started selling samples of the data it claims to have stolen, heightening anxieties among the impacted public agencies about potential future data exposure.

(Source: InfoSecurity Magazine)