The City of York, Pennsylvania, did not publicly disclose a July 2025 ransomware attack while the incident was unfolding, even as the disruption affected municipal email and the city’s parking-garage system.
A York Daily Record article published in August 2025 showed how narrowly the city described the problem at the time. The newspaper reported that York’s parking-garage system had been interrupted for at least three weeks, forcing staff to collect payment manually and prompting the city to post flat parking rates. When asked whether the outage was tied to a security breach, then-Mayor Michael Helfrich declined to answer and repeatedly said “no comment.”
Months later, a February 2026 York Daily Record investigation provided a fuller account. The newspaper reported that Helfrich said the attack began July 8, 2025, seized control of the city’s IT infrastructure, cut staff off from email and disabled digital kiosks at the city’s three parking garages.
“We had no computers, or email, or anything,” Helfrich told the newspaper. “They locked up everything. That’s why the parking garages wouldn’t work.”
According to that February 2026 reporting, city email was down for about two weeks, while parking-garage problems lasted about three weeks into early August. The newspaper also reported that the city’s insurer negotiated the attackers’ demand from $1 million to $500,000 and paid that amount, while York covered a $25,000 deductible. Helfrich told the paper the matter was not fully resolved until around September.
The same York Daily Record investigation said internal city emails released through a records request showed then-Business Administrator Kim Robertson writing on July 14 that “it’s of the utmost importance at the moment that we attempt to control how the details about this situation are shared publicly.” The newspaper also reported that City Council President Edquina Washington postponed a planned July 15 news conference because of the ransomware negotiations.
York’s own records later referred to the matter in narrower terms. City Council minutes from February 2026 said work to reconcile the city’s long-delayed audits had been “further complicated by a cyber-attack on city infrastructure.” The minutes did not detail the timing, scope, ransom payment or operational disruptions described in the newspaper’s reporting.
The attack also worsened an existing financial problem at City Hall. Helfrich told the York Daily Record that the incident delayed work on audits that were already about five years behind. That issue later resurfaced in city records and in criticism over the city’s financial management.
The York Daily Record also reported that York police notified the Pennsylvania State Police and the FBI, and that the insurer brought in a firm experienced in extortion negotiations. In an internal update recounted by the newspaper, Police Commissioner Michael Muldrow said the hackers were believed to be a known Russian group. York has not publicly identified a threat actor, and DysruptionHub found no public extortion-site claim tied to the city.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
According to the February 2026 article, the parking system was restored on Aug. 11. A few weeks later, council approved a roughly $298,000 plan to replace the garage system with a cloud-based platform. Helfrich said in the earlier August 2025 story that the upgrade had already been planned and was not a response to the outage.
York is the county seat of York County in south-central Pennsylvania, and the disruption affected core municipal operations. The case also fits a broader pattern of limited public disclosure around municipal cyber incidents. In Angleton, Texas, officials publicly described service disruptions as an “internet outage” even as a state filing called the event a “Cyber Security Crime.” In North Dakota, Fargo Park District said it detected unusual activity on Oct. 27, 2025, but did not publicly disclose a cyber event until Dec. 5, when a ransomware claim surfaced online. In Cocoa, Florida, officials likewise referred only to ongoing “technical issues” while outside reporting linked the February 2026 outage to a ransomware claim.
Questions remain about whether any resident or employee data was exfiltrated, what systems beyond email and parking were affected, and whether York will release a full incident report. What has become clear through local reporting and public records is that residents were not publicly told during the outage, or after it was resolved, that the city had suffered a ransomware attack and that its insurer had paid a $500,000 settlement.
