The city of Cedar Falls, Iowa yesterday confirmed it notified 3,534 Iowans of a June 2024 data breach that compromised the following personal data:
- Names
- Social Security numbers
- Dates of birth
- Driver’s license numbers
- Vehicle license plate numbers
- Vehicle identification numbers (VINs)
- Health information
The notice sent to victims attributes the data breach to a June 19, 2024 ransomware attack. The notice admits a breach of personal data but says, “The event did not materially affect the City’s ability to provide public services.”
Ransomware gang BlackSuit claimed responsibility for the attack in July 2024. BlackSuit gave Cedar Falls 72 hours to pay an undisclosed amount in ransom, or else it would sell the stolen data in a public auction. BlackSuit’s claim, posted on its data leak site, said the data belonged to “employees, customers, and partners.”
Cedar Falls has not verified BlackSuit’s claim. We do not yet know if Cedar Falls paid a ransom, how much BlackSuit demanded, or how attackers breached the city’s systems. Comparitech contacted Cedar Falls officials for comment and will update this article if they respond.
The city’s notice (PDF) says, “As a credit to the City’s existing safeguards, the City was able to securely restore its network from backups, and the incident did not materially affect the City’s ability to provide public services. Following the Incident, the City enhanced its network security in the following ways: changing all passwords and updating its password policy; implementing an automated patching tool; updating its firewall configurations; conducting an external penetration test; and conducting an external vulnerability scan.”
Cedar Falls is offering eligible victims free credit monitoring via Cyberscout.
Who is BlackSuit?
BlackSuit first emerged in April 2023 and has a history of attacking critical industries like healthcare, government, and education. It’s a private operation and doesn’t employ a ransomware-as-a-service business model. BlackSuit often extorts victims twice: once for the decryption key to restore attacked systems, and again in exchange for not selling or publishing stolen data.
BlackSuit has claimed 61 confirmed ransomware attacks since it began, plus another 108 unconfirmed attacks that haven’t been acknowledged by the targeted organizations.
Around the same time that BlackSuit claimed responsibility for the attack on Cedar Falls, the group also claimed attacks on attorney Mewborn & DeSelms and Community High School District 117 in Illinois. Those attacks compromised 12,941 and 18,830 records, respectively.
In 2024, BlackSuit also claimed responsibility for attacks on Jackson County, MO; the Montgomery County, OH Board of Developmental Disabilities (MCBDDS); the Kansas City, KS Police Department; Monroe County, IN; Killeen, TX; Hollywood Burbank Airport; the Cullman County, AL commission; the Aiken, SC Housing Authority; and the Kanagawa, Japan Prefectural Sewerage Public Corporation.
In 2025, BlackSuit has so far only claimed one attack, and it has not been confirmed by the targeted organization.
Ransomware attacks on US government
Ransomware attacks on US government agencies and departments can steal data and lock down computer systems. The attacker then demands a ransom to delete the stolen data and for a key to recover infected systems. If the target doesn’t pay, it could take weeks or even months to restore systems, some data might be permanently lost, and people whose data was stolen are put at greater risk of fraud. Ransomware can disrupt everything from communications to billing, payroll, permitting, and online services.
Comparitech researchers logged 87 confirmed ransomware attacks on US government entities in in 2024, compromising 2,318,846 records. The average ransom is $2.2 million.
The biggest such attacks by number of record affected include:
– The Florida Department of Health hit by RansomHub in July 2024, compromising 730,000 records
– RIBridges (Rhode Island) hit by Brain Cipher in December 2024, compromising 650,000 records
– The city of Columbus, OH hit by Rhysida in July 2024, compromising 500,000 records
In 2025, we confirmed ransomware attacks on government organizations in the US including those on the Laramie County, WY Library System; West Haven, CT; Tarrant, AL; the Sault Ste. Marie Tribe of Chippewa Indians; and Anne Arundel County, MD.
About Cedar Falls, Iowa
The City of Cedar Falls, IA has a population of just over 40,000 people and is located in Black Hawk County. It is home to the University of Northern Iowa.
