Municipal emergency warning service offline after hackers steal user data

An emergency warning service used by municipalities across the U.S. was taken down in recent weeks by hackers who also stole information on the system's users. 

Crisis24, a company that provides a variety of security services globally, confirmed that data associated with its mass notification system was stolen by hackers during a recent cybersecurity incident. 

The hackers recently published the stolen information online, according to a Crisis24 spokesperson. The data is associated with the OnSolve CodeRED platform, which many counties, cities and towns use to send out information like weather notices, updates on disasters, AMBER alerts, evacuation orders and public safety notifications. 

“The attack also resulted in damage to the OnSolve CodeRED environment. Current forensic analysis indicates that the incident was fully contained within that environment, with no contagion beyond,” the spokesperson said. “The dataset involved may include information for OnSolve CodeRED users. Users who have reused their OnSolve CodeRED password for any other personal or business accounts are advised to change those passwords immediately.” 

Customers have been notified of the incident, and the platform has been decommissioned while they work on a new version of it. Crisis24 did not respond to several follow-up questions about the nature of the incident and their coordination with federal law enforcement. 

Municipalities across Colorado, Montana, Ohio, Georgia, New Mexico, Illinois, Missouri, Texas, Virginia, California, Massachusetts and more warned local residents to change the passwords that they used to sign up for alerts from the platform. 

According to some of the affected municipalities, as well as law enforcement, the platform first went down around November 10. Crisis24 contacted them and explained their work on a new mass notification platform, they said. Some counties terminated their contract with the company as a result of the incident. 

In place of the system, some counties have relied on social media or the federal government’s Integrated Public Alert and Warning System (IPAWS) alerts — emergency notifications managed by the Federal Emergency Management Agency (FEMA) meant for natural disasters, public safety threats and other emergencies. The messages are typically sent to cell phones.

The Jackson County Sheriff’s Office in Illinois published the letter Crisis24 sent them on Facebook, warning residents that the mass notification system is no longer working. 

Crisis24 told customers the cyberattack “damaged the OnSolve CodeRED environment in a targeted attack by an organized cybercriminal group.”

The company said the hackers stole information including the names, addresses, emails, phone numbers and passwords of OnSolve CodeRED users. 

The company has expedited plans to create a new version of CodeRED using backups, the letter said, but they warned the backup data is only current as of March 31. People that signed up for alerts after that date will have to sign up again. 

“We have also completed a comprehensive security audit of CodeRED by Crisis24 and its infrastructure as well as engaged external experts for additional penetration testing and hardening,” the company told customers.

“Please note, the CodeRED by Crisis24 platform will currently provide only basic alert and notification capabilities using publicly available phone data.”

FEMA did not respond to requests for comment and the Cybersecurity and Infrastructure Security Agency directed all questions to Crisis24. 

The attack on Crisis24 was claimed this weekend by the INC ransomware gang. The group has carried out a handful of high-profile attacks on governments, including the Pennsylvania Office of the Attorney General, the State Bar of Texas as well as international agencies in Panama and Hungary. 

Crisis24, which reported $436 million in earnings throughout 2024, is owned by Canadian corporation GardaWorld.