Ransomware Paralyzes a California City — Blocks Away From the World's Largest Security Conference
In a moment of grim irony, Foster City, California became the victim of a crippling ransomware attack on March 19, 2026 — just days before the RSAC Conference drew tens of thousands of cybersecurity professionals to nearby San Francisco. The attack forced the city to take all non-emergency systems offline, suspended public-facing government services, and ultimately compelled the City Council to declare a formal state of emergency on the sixth night of the outage. Residents were warned that personal data may have been accessed and urged to change passwords for any accounts linked to city services.
| Attribute | Value |
|---|---|
| Incident Type | Ransomware attack |
| Discovery Date | March 19, 2026 (early morning) |
| Affected Jurisdiction | Foster City, California |
| Duration of Outage | 6+ days at time of emergency declaration |
| Emergency Declaration | City Council, Monday night (March 24, 2026) |
| 911 / Police Dispatch | NOT affected — remained operational |
| Non-Emergency Services | Paused entirely pending investigation |
| Data Exposure | Possible public data access — passwords urged changed |
| Coincidence | RSAC Conference ongoing in nearby San Francisco |
How the Attack Unfolded
City IT staff discovered anomalous activity in Foster City's government network in the early morning hours of March 19, consistent with ransomware deployment. The initial response followed standard containment protocol: systems were taken offline to prevent further spread, isolating the damage but also bringing all non-emergency municipal services to a halt.
Over the following days, city employees operated on paper-based fallback procedures or were unable to serve residents entirely. Public portals for permits, payments, and records requests went dark. City staff worked with external incident response partners to assess the scope of the compromise, determine whether data had been exfiltrated, and begin the process of restoring systems from backup.
Emergency Declaration — Day Six
By Monday evening, six days into the outage, the Foster City City Council convened and voted to declare a formal state of emergency. The declaration unlocks additional resources — including emergency procurement pathways and state and federal assistance mechanisms — that are unavailable under normal operational conditions. It also signals that the city does not expect a rapid, self-contained resolution and is preparing for a prolonged recovery.
City officials confirmed that while 911 services and police dispatch were never disrupted, the breadth of affected systems across administrative, financial, and community service functions justified the emergency designation.
Data Exposure Warning
Alongside the emergency declaration, Foster City officials issued a public advisory warning that personal data belonging to residents may have been accessed during the intrusion. The city urged all individuals who had interacted with city systems — online bill payment, permit applications, utility accounts, or community programs — to change their passwords immediately and monitor financial accounts for suspicious activity. No specific data types or estimated record counts had been publicly confirmed at the time of the declaration.
The RSAC Proximity
The timing placed the attack in an uncomfortable spotlight. The RSA Conference, the cybersecurity industry's flagship annual event, was drawing an estimated 40,000 attendees to Moscone Center in San Francisco — roughly 20 miles from Foster City. Security researchers, vendors, and government officials gathering to discuss threat trends and defenses were doing so while a city in the same metro area was living through an active ransomware crisis.
The juxtaposition underscored a persistent disconnect in cybersecurity: the industry's concentration of expertise and attention at the enterprise and federal levels, while state and local governments — operating with far smaller budgets and teams — remain disproportionately vulnerable to exactly the attacks being discussed at the conference.
| Impact Area | Description |
|---|---|
| Municipal Services | All non-emergency services paused for 6+ days |
| Residents | Unable to access permits, payments, or records online |
| City Staff | Reduced to manual fallback operations |
| Public Data | Possible exfiltration — residents advised to change passwords |
| Emergency Services | 911 and police dispatch fully operational throughout |
| Financial Impact | Recovery costs, potential ransom demand, legal exposure |
| Reputational | Emergency declaration draws state and national attention |
Recommendations for Residents
- Change passwords immediately for any accounts associated with city services, particularly if you used the same password elsewhere.
- Enable multi-factor authentication on email and financial accounts as a precaution against credential-stuffing attacks.
- Monitor your credit report and consider placing a fraud alert if you submitted sensitive personal information through city portals.
- Be alert to phishing — attackers who obtain resident data often follow up with targeted phishing campaigns posing as official city communications.
Recommendations for Municipal IT and Administrators
- Offline backups are non-negotiable: The single most effective ransomware mitigation is tested, air-gapped backups that attackers cannot encrypt. Verify recovery time objectives against operational needs.
- Segment municipal networks: Administrative, financial, and public-facing systems should be on separate network segments with strict east-west traffic controls.
- Conduct tabletop exercises: A state of emergency declaration on day six suggests the incident response plan had gaps. Simulate ransomware scenarios annually with department heads and council members present.
- Apply for CISA and MS-ISAC support: Both organizations provide free cybersecurity assessments and incident response support to state and local governments.
Recommendations for State and Federal Policy Makers
- Expand cyber grants for municipalities: Most cities Foster City's size cannot afford dedicated security operations staff. Federal grant programs like SLCGP need increased funding and simpler application processes.
- Mandate minimum security baselines for local government: Password policies, MFA requirements, and backup standards should be codified as conditions of receiving state or federal IT funding.
Key Takeaways
- Ransomware struck Foster City, California on March 19, 2026, shutting down all non-emergency government services for more than six days.
- The City Council declared a formal state of emergency on the sixth day, unlocking emergency procurement and state/federal assistance mechanisms.
- Emergency services — 911 and police dispatch — were never impacted, demonstrating that some critical isolation was in place, but administrative systems were fully paralyzed.
- Residents were warned that personal data may have been accessed, prompting an urgent advisory to change passwords and monitor accounts.
- The attack occurred while the RSAC Conference was underway 20 miles away, highlighting the gap between high-level industry attention and the ground-level vulnerability of small municipal governments.
- The incident is a reminder that ransomware groups do not spare public institutions — and that local governments with limited budgets remain high-value, low-resistance targets.