A nationwide cybersecurity incident involving the OnSolve CodeRED mass notification network has placed Monroe County, Georgia residents at risk, prompting local officials to warn the public and begin transitioning to a new emergency alert system. The Monroe County cyberattack, which officials emphasize did not originate locally, has compromised personal information belonging to users enrolled in the county’s emergency alert service.  In its formal notification, Monroe County Emergency Management Agency (EMA) informed residents that a nationwide data breach affecting all OnSolve CodeRED customers had been confirmed. The county stated, “This has been an issue nationwide,” stressing that the breach stemmed from an attack on the vendor system rather than any action by Monroe County personnel. According to the county, the incident was attributed to “an organized cybercriminal group that has victimized our platform and our customers.” 

Compromised Monroe County’s User Data

The cyberattack on Monroe County users occurred within the broader CodeRED environment, which supports emergency alerts issued across the United States. Once the breach was discovered, OnSolve immediately discontinued its CodeRED service nationwide and shifted resources to a new platform known as Crisis24 CodeRED. Officials said the intrusion was contained within the original system and did not spread to other networks.  According to OnSolve’s assessment, the compromised data includes names, addresses, email addresses, phone numbers, and passwords associated with CodeRED user accounts. County officials urged residents who use the same password for multiple accounts to change those passwords immediately to reduce the risk of further exposure.  Enrollment timing also affects the extent of data loss. Monroe County explained that residents who signed up for CodeRED before March 31, 2025, will have their information migrated to the new Crisis24 CodeRED platform. However, all data added after March 31, 2025, was lost during the incident, meaning those users will need to re-enroll once the new system becomes fully operational. The county noted that it is working closely with Crisis24 staff to expedite the setup of the replacement alert service. 

Vendor Response, FAQ Details, and System Transition 

Although the breach occurred entirely within a third-party vendor system, Monroe County EMA acknowledged that the incident is likely to cause worry within the community. Officials pledged ongoing communication, stating they will share any additional updates provided by OnSolve.  OnSolve also released a detailed FAQ explaining the breach. The vendor reported that personal contact information “may be published” as a result of the attack, but said forensic analysis indicates no impact on municipal systems beyond emergency alerts. According to the provider, the newly launched Crisis24 CodeRED platform resides in a separate, non-compromised environment and has undergone a comprehensive security audit, including external penetration testing and system hardening.  The company stated that the cybersecurity incident was detected in November and that it acted quickly to secure the affected systems, launch an investigation, and engage outside experts. The original OnSolve CodeRED platform has since been permanently decommissioned. 

No Evidence of Identity Theft, but Rising Cyber Risks Cited 

Despite concerns surrounding the Monroe County cyberattack, officials report no evidence that the compromised data has been used for identity theft or fraud. They noted that the breach reflects a broader rise in cyber intrusions nationwide, highlighting the need for stronger threat monitoring and rapid detection.   As the county works to restore its emergency alert system, officials reiterated their commitment to transparency and continued oversight. The growing frequency of attacks also stresses why organizations increasingly rely on independent threat-intelligence providers such as Cyble, whose research regularly tracks new vulnerabilities and cybercriminal activity across global networks.  To better understand how organizations can strengthen their defenses against incidents like the Monroe County cyberattack, security teams can request a guided demonstration of Cyble’s AI-native threat-intelligence capabilities. A personalized demo provides a practical look at how Cyble identifies exposures, tracks threat actors, and supports faster response decisions. 

A nationwide cyberattack against the OnSolve CodeRED emergency notifications system has prompted cities and counties across the US to warn residents and advise them to change their passwords.

CodeRED is used by local governments to deliver fast, targeted alerts during severe weather, evacuations, missing persons, and other urgent events. Both the data breach and the service outage have serious implications for communities.

The OnSolve CodeRED system is a cloud-based platform used by city, county, and state agencies to send emergency alerts via voice calls, SMS, email, mobile app notifications, and national alerting systems. Because of the incident, some regions temporarily lost access to the system and had to rely on social media or other methods to reach the public.

To avoid confusion: CodeRED is not the same as the Emergency Alert System (EAS), which is the federal government-managed emergency notifications system. The CodeRED emergency notification system is a voluntary program where residents can sign up to receive notifications and emergency alerts affecting the city they live in.

What’s happened?

Among the many affected municipalities, the City of Cambridge’s Emergency Communications, Police, and Fire Departments issued an alert urging users to change their passwords, especially if they reused the same password elsewhere. Similar advisories have been published by towns and counties in multiple states as the scale of the attack became clear.

The City of University Park, Texas, also warned residents:

“As a precaution, we want to make residents aware of a recent cybersecurity incident involving the City’s third-party emergency alert system, CodeRED. We were notified that a cybercriminal group targeted the system, which caused disruption and may have compromised some user data. This incident did not affect any City systems or services and remains isolated to the CodeRED software.”

The cause is reportedly a ransomware attack claimed by the INC Ransom group. The group posted screenshots that appear to show stolen customer data, including email addresses and associated clear-text passwords.

The INC Ransom group also published part of the alleged ransom negotiation, suggesting that Crisis24 (the provider behind CodeRED) initially offered $100,000, later increasing the offer to $150,000, which INC rejected.

The incident forced Crisis24 to shut down its legacy environment and rebuild the system in a new, isolated infrastructure. Some regions, such as Douglas County, Colorado, have terminated their CodeRED contracts following the outage.

Why this matters

Cyberattacks happen, and data breaches are not always preventable. But storing your subscriber database—including passwords in clear text—seems rather careless. Providers should assume people reuse passwords, especially for accounts they don’t view as very sensitive.

Not that ransomware groups care, of course, but systems like CodeRED genuinely saves lives. When that system goes down or cannot be trusted, communities may miss evacuation orders, severe weather warnings, or active-shooter alerts when minutes matter.

Users are now being told to change their passwords, sometimes across multiple websites. But has everyone been notified? And even if they have, will they actually take action?

Protecting yourself after a data breach

If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for impersonators. The thieves may contact you posing as the breached platform. Check the official website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

---

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Crisis24’s OnSolve CodeRED emergency alert system has been disrupted by a cyberattack, leaving local governments throughout the U.S. searching for alternatives or waiting for a new system to come online. The INC ransomware group has claimed responsibility for the attack. Some personal data of users may have been exposed in the attack, including names, addresses, email addresses, phone numbers, and passwords, and users have been urged to change passwords for other accounts if the same password is used. Crisis24 is launching a new secure CodeRED System that was already in development, and local governments had varying reactions to the crisis.

New CodeRED Emergency Alert System Expected Soon

Several U.S. local governments issued statements after the attack, updating residents on the CodeRED system’s status and their plans. The City of University Park, Texas, said Crisis24 is launching a new CodeRED System, which was already in the works. “Our provider assures us that the new CodeRED platform resides on a non-compromised, separate environment and that they completed a comprehensive security audit and engaged external experts for additional penetration testing and hardening,” the city said in its statement. “The provider decommissioned the OnSolve CodeRED platform and is the process of moving all customers to its new CodeRED platform.” Craven County Emergency Services in North Carolina said the new CodeRED platform “will be available before November 28.” In the meantime, Craven County said announcements and alerts will continue to be released through local media, the Craven County website, or on Craven County’s social media accounts. The Douglas County Sheriff's Office in Colorado said on Nov. 24 that it took “immediate action to terminate our contract with CodeRED for cause. Our top priority is the privacy and protection of our citizens, which led to the decision to end our agreement with CodeRED.” The Sheriff’s Office said it “is actively searching for a replacement for the CodeRED platform.” The office said it still has the ability to issue “IPAWS” alerts to citizens when necessary, and “will continue to implement various contingency plans, including outreach through social media and door-to-door notifications, to ensure our community stays informed during emergency situations.”

INC Ransom Claims Responsibility for CodeRED Attack

The INC Ransom group claimed responsibility for the CodeRED emergency alert system attack on its dark web data leak site. The threat actors say they obtained initial access on Nov. 1, followed by network encryption on Nov. 10. The group claims to have exfiltrated approximately 1.15 TB before deploying encryption. To substantiate their claims, INC Ransom has published several data samples, including csv files with client-related data, threat intelligence company Cyble reported in a note to clients. Additionally, the group released two screenshots allegedly showing negotiation attempts, where the company purportedly offered as much as USD $150,000, an amount the attackers claim they refused.