THE CodeRED emergency notification system incident update notes that the attack occurred in CodeRED’s legacy OnSolve environment on 31 October 2025, with ransomware deployed on 10 November. According to St.
Mary’s update, limited subscriber information affecting a small percentage of users was exposed across two data sets: one containing usernames, phone numbers and inactive, outdated passwords that were deactivated and changed in 2015, and a second containing usernames with encrypted passwords that are unreadable and not identifiable.
There is no evidence that encryption keys were accessed, and CodeRED confirmed that the exposed data did not include first or last names, addresses or other sensitive personal information, nor any active passwords. The OnSolve CodeRED system affected many entities’ emergency alert systems for around two weeks, prompting the use of alternative means to issue alerts. In response, the system was decommissioned and replaced by CodeRED by Crisis24, while some customers began exploring or switching to other vendors.
INC Ransom had claimed responsibility for the attack in November, and the government advises against paying any ransom, with OnSolve reportedly not paying despite some negotiation, while some data claimed by INC was largely old (2010–2014 for one data set).