LEONARDTOWN – St. Mary’s County officials notified residents Tuesday about a cybersecurity incident that potentially exposed personal information stored in the CodeRED emergency notification system, a third-party service used by the county’s Department of Emergency Services to deliver urgent alerts.
The breach, which occurred in early November on the vendor’s legacy platform, involved the unauthorized removal of user data, according to a public statement from the county. While no evidence shows the information has appeared online, officials warned that a future leak remains possible. The incident stemmed from a targeted attack by an organized cybercriminal group and affected only the private vendor’s systems, sparing county networks and databases.
CodeRED, operated by OnSolve under Crisis24, serves hundreds of local governments nationwide, including agencies in Southern Maryland for rapid notifications during storms, evacuations or other hazards. In St. Mary’s County, the system reaches registered users via phone calls, texts or emails to about 110,000 residents across 372 square miles, from Leonardtown to Point Lookout. The county activated CodeRED in 2008 to comply with federal mandates under the Emergency Alert System, enhancing local response capabilities in a region prone to hurricanes and flooding along the Potomac River and Chesapeake Bay.
The compromised dataset includes names, addresses, email addresses, phone numbers and passwords tied to CodeRED user profiles. Not all users set passwords; the system primarily pulls contact details from public records or voluntary registrations. Officials emphasized that financial details like bank accounts or credit cards were not involved.
St. Mary’s County Department of Emergency Services Director Tommy Wantz said in the notification that the county learned of the issue from CodeRED on Nov. 21, prompting immediate coordination with the vendor. “Our priority is to protect the safety, security, and privacy of St. Mary’s County residents while maintaining transparent communication about incidents that may affect you,” the statement read.
The attack, claimed by the INC Ransom ransomware group, began with unauthorized access on Nov. 1, 2025, followed by file encryption on Nov. 10 that triggered a nationwide outage. The group, active since mid-2024, demanded $100,000 but proceeded to publicize the breach after negotiations failed, according to their leak site. INC Ransom has targeted over 50 organizations this year, including U.S. government entities, focusing on data exfiltration before encryption to pressure victims.
Forensic analysis by Crisis24 confirmed the breach stayed isolated to the OnSolve CodeRED environment, with no spread to other services. However, the damage forced permanent decommissioning of the legacy platform, accelerating a planned migration to CodeRED by Crisis24. St. Mary’s County completed the switch ahead of schedule, restoring alert functionality using backups from March 31, 2025. This means registrations added after that date may require re-enrollment, though core public data from sources like the U.S. Postal Service remains intact.
Residents who created CodeRED accounts face the highest risk. County officials urged three steps: Update the CodeRED password immediately through the portal at coderedweb.com; replace passwords on any linked accounts, such as email or financial sites, if reused; and watch for suspicious activity, reporting it to providers. General advice includes ignoring unsolicited contacts seeking personal details, a common phishing tactic in Southern Maryland where watermen and farmers often share contact info for community alerts.
To register or update profiles on the new system, visit the county’s CodeRED page at www.stmaryscountymd.gov/emergencycodered. The service remains free, covering landlines automatically while encouraging cell phone and email opt-ins for better reach in rural areas like Mechanicsville or Charlotte Hall.
St. Mary’s County officials are collaborating with CodeRED and external cybersecurity partners to track developments and verify historical data access. The Department of Information Technology is auditing the new platform’s features, including integration with FEMA’s Integrated Public Alert and Warning System for wireless emergency alerts. Internal protocols for notifications, such as during the 2024 Hurricane Helene remnants that flooded low-lying Patuxent River farms, are under review to minimize disruptions.
Questions about the incident or alerts can go to EMA@stmaryscountymd.gov or 301-475-4200, extension 2125. Officials stressed that 911 services and other channels like the Maryland Coordinated Warnings and Accountability System remain operational for immediate threats.