North St. Paul Police Cyberattack Detected in July, Disrupts Systems Despite Public Assurances
North St. Paul, Minnesota, began investigating a cyberattack on its Police Department at least as early as July 22, 2025—nearly two weeks before the incident was publicly acknowledged on August 4. City records show that on July 22 and 23, officials signed agreements with the McDonald Hopkins law firm and cybersecurity company Arete Advisors to conduct a forensic investigation into a phishing-related business email compromise. These contracts were in place before the separate July 25 cyber incident in nearby St. Paul, challenging public statements that implied the North St. Paul attack occurred later.
The Arete Statement of Work outlines a narrowly scoped investigation into one compromised Microsoft 365 account, including analysis of email and audit logs for signs of malicious behavior, financial or wire fraud, and possible data exfiltration. The McDonald Hopkins engagement letter states the attack may have resulted in disclosure of personal or health information, potentially triggering legal notification obligations. While city spokespersons told the public the impact was limited and services were unaffected, a state government source who requested anonymity said Police Chief Raymond Rozales has acknowledged that the breach disrupted internal systems and online services.
A cybersecurity expert theorized that a compromise of a trusted law enforcement email account could have been leveraged to launch secondary attacks on other agencies. Given the close operational ties between the North St. Paul Police Department and neighboring jurisdictions, including the City of St. Paul, the attacker could have used the compromised account to send malicious emails to St. Paul officials, bypassing suspicion. With only three days between North St. Paul’s internal detection and the St. Paul cyberattack, the possibility of a pivot remains plausible, though no official link has been confirmed.
Evidence from internal agreements and state-level reporting indicates the operational impact was more significant than early public messaging suggested, and that the breach’s discovery predates the city’s public announcement by at least 12 days. The city is coordinating with state agencies and its insurer, the League of Minnesota Cities, as the investigation continues.