Foster City Declares Emergency After Bay Area Cyberattack

Officials in Foster City declared a local state of emergency on Wednesday following a targeted ransomware attack that has disrupted municipal computer systems and forced critical digital infrastructure offline for several days.

The declaration — authorized by City Manager Stefan Chatwin and formally adopted by the City Council — is intended to streamline the city’s ability to reallocate resources, bypass standard procurement hurdles for emergency equipment, and seek state or federal assistance. Both San Mateo County and the Governor’s Office of Emergency Services (Cal OES) have been notified as recovery efforts continue.

The disruption began on March 19 when city IT staff identified unauthorized activity on the municipal network. In response, officials took the preemptive step of shutting down various internal servers and email systems to contain the spread of the malware.

"Out of an abundance of caution, we have taken several systems offline while we work with cybersecurity experts to investigate the scope of this incident," the city said in a statement.

While the city’s website and internal communication channels remain largely inaccessible, officials emphasized that essential public safety services — including 911 dispatch, police, and fire departments — remain fully operational. Dispatchers are utilizing manual backup protocols to ensure emergency calls are processed.

The nature of the ransomware and the specific demands of the attackers have not been publicly disclosed. However, the city has notified residents that personal information may have been accessed. City Manager Stefan Chatwin advised individuals who have conducted business with the city to monitor their personal information and consider security precautions.

Foster City has engaged third-party forensic investigators and is coordinating with federal law enforcement, including the FBI. This incident follows similar digital disruptions reported by other Bay Area local governments — including Oakland, Hayward, and St. Helena — over the past 24 months, as well as the Los Angeles Metro breach claimed by Worldleaks ransomware group.

City Hall remains open to the public, though administrative services such as permit processing and utility billing are experiencing delays. Due to the network outage, recent City Council meetings have been held in person without remote access.

The CyberSignal Analysis

The Foster City incident provides a factual case study in the operational impact of ransomware on municipal infrastructure. Based on the documented timeline and the city's official response, several key data points emerge for security professionals:

• Operational Contingency: The city’s ability to maintain 911 and fire services despite a network-wide shutdown confirms the efficacy of functional "offline" or manual protocols. For organizations, this demonstrates that resilience is measured by the continuity of essential services, even when the digital environment is compromised.
• Legal and Financial Mechanisms: The use of a "State of Emergency" declaration functions as a specific administrative tool. It allows a municipality to bypass standard, time-consuming procurement processes to hire specialized incident response (IR) firms and purchase replacement hardware immediately.
• Data Disclosure Thresholds: The city's recommendation for residents to monitor their personal accounts indicates that the potential for data exfiltration is a primary component of the forensic investigation, as is common in contemporary ransomware deployments.
• Regional Trends: This event is the latest in a series of confirmed attacks on California local governments. It underscores a pattern where public sector entities are targeted not necessarily for their specific data, but for the essential nature of their 24/7 operations.