A cyber attack on the risk management company Crisis24 has crippled emergency alert systems, disrupting critical services relied upon by local governments, law enforcement agencies, and fire departments.
The incident affected the OnSolve CodeRED platforms the company uses to disseminate urgent notifications to targeted individuals during public emergencies, such as adverse weather, gas and chemical leaks, bomb threats, fires, or missing persons.
The system can be rebranded and enables public entities to reach their target audience via voice, SMS, email, mobile application, or through the federal government’s Integrated Public Alert and Warning System (IPAWS).
Crisis24 decommissions CodeRED after cyber attack leaks sensitive data
Crisis24 has decommissioned the legacy CodeRED emergency alert systems to prevent another cyber attack that could put user data at risk.
To mitigate the impacts of the disruption occasioned by the cyber attack, Crisis24 immediately began updating the new CodeRED emergency alert systems with data backups.
However, the most recent backup is dated March 31, 2025, suggesting that some user information would be missing.
Nevertheless, it claims the new system has undergone “a comprehensive security audit” and sits on a non-compromised environment, having undergone penetration testing.
Crisis24 also launched an investigation that determined the cyber attack leaked user data, including the victims’ names, physical addresses, email addresses, phone numbers, and CodeRED user account passwords.
However, no evidence suggests that the attackers have published the stolen information on the dark web. It also claims that the cyber attack only affected the emergency alert systems and did not spread to other parts of its internal IT infrastructure.
Meanwhile, many cities and departments say they are working to restore their emergency alert systems following the cyber attack. Local governments in Florida, the Carolinas, Michigan, and Colorado have confirmed that the cyber attack knocked their emergency alert systems offline. Massachusetts, Texas, Ohio, Kansas, Georgia, California, Utah, Missouri, Montana, and New Mexico were also impacted.
“The South Carolina Emergency Management Division (SCEMD) is alerting residents to a nationwide outage of the CodeRED notification system, one of several alert tools used by emergency management agencies in South Carolina,” stated the South Carolina Emergency Management Division (SCEMD).
Douglas County Sheriff’s Office in Colorado also terminated its contract with CodeRED to protect the privacy of its citizens. In the meantime, the Sheriff’s Office is using the IPAWS while searching for a more suitable and permanent replacement. However, some authorities are transitioning to the new CodeRED system.
“The cyberattack on OnSolve’s CodeRED platform disrupted geo-targeted emergency notifications for agencies in several states, exposing the dangers of relying on a single service for critical safety operations,” commented Damon Small, Board of Directors at Xcape. “When the emergency system is the emergency, redundancy isn’t optional; it’s the lifeline.”
Subsequently, Small advised agencies in the affected states to “immediately require password changes, update API keys and integration tokens, review administrative access, and check for account reuse on other platforms.”
He also recommended implementing alternatives “such as IPAWS/WEA, local radio, NOAA, sirens, and pre-approved social media posts, as well as conduct drills for ‘alert system failure’ situations to ensure public warnings continue uninterrupted.”
INC ransomware linked to cyber attack on OnSolve CodeRED emergency alert systems
The INC Ransomware gang claimed responsibility for the Crisis24 cyber attack by listing the company on a dark web data leak site on November 22. It claims to have infiltrated the company on November 1 and encrypted the emergency alert systems on November 10, 2025.
The cybercrime group reportedly demanded $950,000 as ransom, but later reduced it to $450,000. Crisis24 allegedly countered the demand by offering $100,000, then increased it to $150,000, but the ransomware group rejected both offers.
Subsequently, the cybercrime group resorted to auctioning the stolen data online and leaked samples that included clear-text passwords to pressure Crisis24 into paying the exorbitant ransom.
In response, the company and various Sheriff departments advised impacted individuals to reset their account passwords to prevent further compromise.
“Users who have reused their OnSolve CodeRED password for any other personal or business accounts are advised to change those passwords immediately,” the notification email stated.
