Can cyberattacks against cities affect public services?

In recent years, there have been cyberattacks against cities that highlight the need for local governments to invest in cybersecurity

Approximately 5,000 computers were affected, and it took 40 days to restore normalcy and allow citizens to resume online procedures. This was the result of the ransomware attack suffered by Seville City Council in September and October 2023, one of the most significant cyberattacks against cities in Spain to date.

For more than a month, Seville residents were unable to conduct administrative procedures online or pay taxes, such as property taxes.

Until then, the city council’s investment in cybersecurity had been minimal. For example, its computers were protected with basic antivirus software, and the attackers were able to persist in the municipal systems for months until they deployed ransomware that allowed them to encrypt the city council’s data.

Following the incident, Seville has invested 12 million euros in designing and implementing a cybersecurity strategy; however, many Spanish cities still lack an adequate level of protection.

In the middle of summer, Elche also suffered a ransomware attack that paralyzed its electronic administration for weeks. Furthermore, it was discovered that the last backup of municipal files was from February.

These cases enable us to consider the risks faced by local authorities and underscore the importance of city councils having a cybersecurity strategy that empowers them to counter the increasing number of cyberattacks targeting cities worldwide.

1. The breeding ground that encourages cyberattacks against cities

Why are cyberattacks against cities now a top-level threat to local governments? There are a number of reasons why hostile actors target municipal institutions and services and are able to succeed:

1. Local governments store extremely sensitive data and documents about citizens and businesses, including identity and tax documents, billing data, and contact information. For example, in June 2025, the city council of Oxford suffered a breach of personal data belonging to its municipal employees.
2. Unlike other public administrations, city councils have not made cybersecurity a strategic priority.
3. Many municipal officials with decision-making power lack cybersecurity training and are unaware of the risks to which cities that do not invest in cybersecurity are exposed.
4. City council staff comprise a diverse range of professionals who often lack training in cybersecurity, making them potential entry points for malware attacks.
5. Many cities have outdated IT infrastructure and lack robust security policies. Numerous devices and servers are obsolete and may have vulnerabilities for which security patches already exist.
6. Collaboration between administrations is poor. There are no channels of communication or cooperation between city councils and national-level agencies or teams specializing in cybersecurity, which is essential. This is vitally important both in preventing incidents and in managing them as effectively as possible.
7. Hostile actors have a clear economic motivation: to demand a ransom in exchange for returning encrypted information or selling the personal data obtained. But there may also be a political motivation. We cannot ignore the growing number of cyberattacks launched by criminal groups associated with countries such as Russia or Iran against Western public institutions.

2. Large ransomware groups, a threat looming over the public and private sectors

Just a few weeks ago, one of the most significant cyberattacks against cities this year occurred. The target of the hostile actors was the US city of St. Paul.
The Interlock criminal group was able to sneak into municipal systems and infect them with ransomware. The professionals in charge of the city’s technological infrastructure had to disconnect multiple systems to minimize the incident’s impact. The attack was so severe that:

• The city declared a state of emergency, and the state of Minnesota deployed the National Guard’s cybersecurity team to assist in responding to the incident.
• The criminal gang demanded a ransom in exchange for returning the stolen data and not disclosing it to the public.
• Many municipal services were disrupted or hampered by access problems.
• Online payments were unavailable for days.
• Alternative channels had to be set up to pay garbage collection bills.
• Public libraries had to switch to analog operation and were left without WiFi.
• Water bills could not be paid for several weeks in any way, not even in person.
• The devices of 3,500 municipal workers have been analyzed one by one and their credentials reset.

As if all this were not enough, a typical consequence of ransomware attacks against companies or public administrations has come into play: the fear that social engineering campaigns will be carried out against citizens and workers.

The Interlock ransomware group claims to have stolen more than 43 GB of data and has already exfiltrated personal data and documents from employees of the Parks Department. To prevent them from being used to commit fraud against public workers, the city has already offered them insurance against identity theft.

In addition, citizens have been warned to be cautious of invoices that appear to come from municipal services and not to click on suspicious links or open attachments to emails that are not completely verified as genuine.

What happened in St. Paul is not a new development; rather, the city has joined the long list of companies and institutions that have been successfully targeted in recent years.

3. Why cyberattacks against cities can seriously affect citizens and businesses

Municipal administrations worldwide manage essential services for citizens and the productive economy. Garbage collection, drinking water supply, local police, municipal fire departments, urban traffic, libraries, cultural or sports centers, municipal parks, museums, and key urban planning and administrative tasks, such as granting business licenses…

We could spend all day listing municipal services of great importance. What happens if a cyberattack causes the city’s traffic lights to stop working? What if it becomes impossible to pay for municipal licenses, library computer systems stop working, or spaces in sports centers cannot be reserved? Could a security incident affect the water supply?

The Polish government has just announced that it thwarted a cyberattack against the water supply of one of the country’s major cities.

We need only look back to see the effects of serious cyberattacks against cities. For example, in 2018, Atlanta, one of the largest cities in the United States, suffered a ransomware attack that:

• Paralyzed the local court system.
• Made it impossible to pay water or garbage bills.
• Undermined communications in key areas such as infrastructure and sewage.
• Destroyed images recorded by patrol cars.
• Forced the police department to use pen and paper to carry out their daily activities.
• Caused the city’s airport, one of the busiest in the world, to run out of free WiFi for travelers.
• Prevented municipal workers from working with their computer equipment for a week.

4. DDoS attacks against city councils: Actions of a Cold Cyberwar

A Coruña, Barcelona, Bilbao, Irún, Lugo, Mérida, Murcia, Palma, San Sebastián, Santiago, Vigo, Zaragoza… These are just some of the city councils that have suffered distributed denial-of-service (DDoS) attacks this year.

In most cases, citizens have been unable to access municipal websites for brief periods. However, suppose a city council is not prepared to deal with DDoS attacks. In that case, it runs the risk of having essential web services, such as virtual offices for conducting procedures, paying bills, or paying local taxes, rendered inoperative for hours or days.

Why are DDoS attacks against public administrations on the rise? We can point to two main reasons:

1. Some DDoS attacks are part of a hacktivism or cyberwarfare strategy in an extremely delicate geopolitical context, such as the current one. For example, behind many of the successful DDoS attacks in 2025 was the pro-Russian criminal group NoName057, which was dismantled in mid-July in an operation coordinated by Europol and involving 12 countries. Why did this group attack public administrations in our country? As a form of retaliation for Spain’s support for Ukraine.
2. NoName057 operated a DDoS-as-a-Service platform, through which it recruited malicious actors lacking the necessary knowledge and resources to launch large-scale DDoS attacks. The platform offered them rewards, provided them with specific software, known as DDoSia, and a vast network of servers.

5. The economic cost of cyberattacks against cities is significantly higher than the amount that should be invested in cybersecurity

$17 million. That was the amount that the city of Atlanta had to pay to deal with the cyberattack it suffered in 2018, the effects of which we outlined earlier.

Initially, the local administration had estimated that the cost of resolving the incident and returning to normal would be around $3 million.

The city of Baltimore quantified the economic impact of a successful ransomware attack against the city at a similar figure: $18.2 million. This figure included not only incident response and disaster recovery services, but also the consequences of the disruption suffered by tax collection services.

These economic figures are significant enough to highlight the exorbitant cost that cyberattacks against cities can generate.

It should therefore come as no surprise that city councils that suffer security incidents and discover the impact of cyberattacks are beginning to take cybersecurity seriously.

Without further elaboration, the mayor of St. Paul assured that, following the incident affecting his city, updated cybersecurity software was being installed on municipal administration devices and servers. Meanwhile, in Atlanta and Seville, there was a substantial increase in the budget allocated to cybersecurity.

What these incidents demonstrate is that investing in cybersecurity is not an option, but a necessity, both legally and economically. Furthermore, we must not lose sight of the economic impact of a security incident that affects local businesses’ operations and the political consequences that elected officials must bear for cyberattacks against cities.

6. Local governments need cybersecurity services to deal with cyberattacks against cities

What can local governments do to prevent security incidents, respond to them effectively, and limit their impact on public services, citizens, and the local productive fabric?

Depending on their size and the financial resources they can allocate to cybersecurity, they must design and implement security strategies based on essential cybersecurity services such as:

• Continuous security audits of all technological infrastructure, combining the use of automated tools with analysis by cybersecurity experts to detect incidents at an early stage, as well as vulnerabilities present in municipal assets.
• Vulnerability management to prioritize mitigation according to criticality level and available resources.
• Denial-of-service testing to measure resistance to DDoS attacks.
• Social engineering testing to train and raise awareness among all municipal employees and elected officials. This also tests whether a sophisticated social engineering attack could be successful.
• Larger municipalities with extensive public services and vast amounts of data can utilize advanced cybersecurity services, such as penetration testing or Red Team exercises, to enhance their cyber resilience and train their security teams.
• Incident response. To prevent cyberattacks against cities from seriously affecting critical public services and prolonging the recovery process for weeks, it is essential to have a proactive incident response service in place. Why? Professionals will not act only after the incident occurs, but rather through comprehensive preparation that includes developing an incident response plan, allowing them to respond to incidents with maximum effectiveness.

In conclusion, like other public administrations and agencies, city councils are not immune to malicious activity. On the contrary, they are a juicy target for criminals due to the amount and relevance of the information they hold, as well as the fact that many of them have weak security postures.

Faced with this scenario, local administrations, which are increasingly digitized, must place cybersecurity at the center of their strategies and allocate sufficient resources to protect their digital assets and ensure the functioning of the public services they provide.