Risk management firm Crisis24 confirmed that its OnSolve CodeRED platform, which is used by state and local governments, police, and fire agencies to send emergency alerts and weather warnings to residents, suffered a debilitating cyberattack. This incident led to the widespread disruption of emergency notification capabilities across the country. Crisis24 was compelled to decommission the legacy CodeRED environment entirely and is now in the process of rebuilding the essential service.
In communications and an FAQ provided to impacted customers, Crisis24 stated that their internal investigation concluded that the attack was successfully contained to the CodeRED environment and did not compromise any of the company’s other systems. However, the company did confirm that the cyberattack resulted in the theft of customer data from the platform. The stolen information includes sensitive personal details such as names, addresses, email addresses, phone numbers, and the passwords associated with CodeRED user profiles.
Crisis24 has attempted to reassure customers by noting that they have seen no indication that the compromised data has been made public, a sentiment echoed by various affected municipalities. For instance, the City of University Park, Texas, stated in an announcement that while there are indications data was taken, there is no current evidence of the information being posted online. Nonetheless, the confirmation of a data breach underscores the severity of the incident beyond mere service disruption.
Due to the damage caused by the attack, Crisis24 is focused on restoring service by migrating to a newly launched “CodeRED by Crisis24” system, which is being populated from restored backups. A significant consequence of this necessary rebuild is that the available data backup is dated March 31, 2025. This means that any accounts or profile updates created after that date are likely missing from the newly launched system. This has prompted numerous counties, cities, and public safety agencies nationwide to inform their residents of the disruption and their ongoing efforts to fully restore operational emergency alert systems.
While Crisis24 initially attributed the breach only to an “organized cybercriminal group,” the INC Ransomware gang has since claimed responsibility for the attack. The criminal group created an entry for OnSolve on its dark web data leak site and proceeded to publish screenshots purporting to show customer data. These screenshots reportedly displayed customer information, including email addresses, along with their associated clear-text passwords, contradicting Crisis24’s assertion that the stolen data has not been publicly published.
Reference:
