City of Modesto Ransomware Attack: What Happened and What Could Have Been Better

What happened in the City of Modesto ransomware attack?

The City of Modesto ransomware attack was a February 2023 ransomware incident in which the Snatch ransomware group breached the Modesto Police Department’s IT network, accessed personally identifiable information for police employees and a smaller number of other individuals, knocked patrol-vehicle laptops and dispatch tooling offline, and forced a roughly five-week, $1 million-plus recovery effort.¹²³

That is the short version. The longer version is more uncomfortable, because the public reporting and a separate 2025 city risk assessment together paint the picture of a city that responded reasonably well in the moment but had structural information-security gaps that almost certainly made the incident worse — and that, as of the 2025 review, were still not fully closed.⁴⁵

This post walks through what actually happened, what it cost, what the 2025 risk assessment found, and what mid-market and municipal IT leaders should take away from it. We are based in Modesto. We work with regulated organizations across the Central Valley. We do not enjoy writing about local incidents, but we believe security maturity in our region only improves when leaders look at the facts honestly. For context on how Datapath approaches that, see our cybersecurity consulting in Modesto overview.

When did the City of Modesto cyber attack start and end?

According to letters the city later sent to affected individuals, unauthorized activity inside the Modesto Police Department’s digital network began on January 31, 2023, and was first detected by city staff on February 3, 2023.¹ The city did not publicly confirm the incident until a follow-up statement after media inquiries, and only formally confirmed in early March 2023 that it was a ransomware event with potential exposure of Social Security numbers and driver’s license numbers.²³

The Snatch ransomware group claimed responsibility, posted 15 files on its dark-web leak site that it said contained Modesto data, and began releasing portions of that data publicly in April 2023 — consistent with the typical “double-extortion” model where ransomware operators steal data first and threaten release if no ransom is paid.³

It took the city about five weeks to bring Modesto Police Department systems back online, including:²

• patrol-vehicle mobile data computers (officers temporarily reverted to handheld radios and paper)
• the department’s dispatch and records-adjacent tools
• internal Police Department network access

Through it all, 911 call answering and emergency response stayed operational. That was the right priority, and the city deserves credit for protecting it.

What did the City of Modesto ransomware attack actually cost?

Publicly reported figures put the total cost north of $1 million, broken down approximately as follows:²

• Up to $586,645 for outside incident-response and recovery work, primarily through MoxFive (with Entara as a subcontractor)
• Up to $497,000 in new and upgraded cybersecurity tooling — endpoint protection, monitoring, and detection capabilities
• $100,000 insurance deductible

City officials told the Modesto Bee at the time that they expected cyber insurance to cover most of the rest. That is consistent with what we see across municipal incident-response engagements: the hard out-of-pocket cost is usually the deductible plus tooling and process work the city should have funded before the event.

For more on how to plan that funding, our guide on cyber insurance readiness for regulated businesses is a good companion read.

What was exposed in the City of Modesto data breach?

The exposed data was, by the city’s own description, “limited” but real. According to notification letters and follow-up reporting, the impacted records included:¹³

• names
• home addresses
• Social Security numbers
• driver’s license numbers

The largest share of affected individuals were Modesto Police Department employees, with a smaller number of other city employees and a small population of non-employees included. The city offered one year of complimentary credit monitoring to people whose data may have been accessed.

For a non-PD employee whose information ended up in a leaked file, “limited” is not very comforting. That is one of the reasons we routinely tell municipal clients that the goal of a security program is not just to keep data out of attackers’ hands, but to keep the minimum necessary data inside the systems most likely to be targeted in the first place.

What did the 2025 City of Modesto risk assessment find?

This is the part of the story most residents probably missed.

A 2025 risk assessment of the City of Modesto, surfaced in subsequent Modesto Bee coverage, found that the city — two years after the Police Department ransomware attack — still had material information-security governance gaps. Specifically, the assessment reported that the city:⁴⁵

• did not have a formal information security policy
• did not have a formal data governance policy
• had incomplete policies for access control and data privacy
• did not conduct regular penetration testing of its systems

That is a significant finding for any organization, and it is a particularly significant finding for a city that already paid the price of a ransomware event. Tooling went up. Spending went up. The governance scaffolding underneath, based on the 2025 review, did not catch up at the same pace.

That gap matters. Tooling without policy tends to drift. Without a written information security policy, you cannot consistently answer questions like “who owns admin accounts,” “what data is sensitive,” “what is the change-control standard,” or “who approves exceptions.” Without a data governance policy, you cannot consistently answer “where does this data live, who can see it, how long do we keep it, and when is it destroyed.” Without regular penetration testing, you do not get an outside view of how an attacker would actually move through your environment today.

The same Modesto Bee reporting that surfaced these gaps in 2025 and 2026 is essentially the same reporting people are now Googling when they search Modesto Bee data breach coverage — so the local journalism is doing its job. The question is what other Central Valley organizations do with what it revealed.

What could the City of Modesto have done better?

Based on the publicly reported facts and the 2025 risk assessment findings, here is a candid view of what could have improved the outcome.

1. Faster detection inside the network

The unauthorized activity reportedly began on January 31, 2023 and was not detected until February 3, 2023.¹ Three days is not catastrophic by national averages, but it is enough time for a competent ransomware operator to do staging, credential theft, and data exfiltration before encryption. Modern managed detection and response (MDR) and endpoint detection and response (EDR) telemetry, monitored 24/7, would have closed that window. For more on the difference, see our post on EDR vs. antivirus.

2. Multi-factor authentication everywhere it mattered

External analysis of the incident specifically called out that “most attacks do succeed as a result of basic security shortcomings like not using MFA” where it is needed.² We do not know which specific accounts were compromised in Modesto, but the pattern is consistent: privileged accounts without MFA are the single most reliable foothold for ransomware operators today.

3. Immutable, segmented backups with tested restores

Recovery work confirmed that the response team had to verify “backups are valid and usable” and “rebuild hardware to eliminate possible infection.”² That is exactly the kind of work that goes faster when backups are immutable, isolated from the production identity plane, and routinely test-restored. Our backup immutability checklist for ransomware-resilient IT environments walks through the controls.

4. A pre-approved restoration order

Five weeks is a long time for a police department to operate on radios and paper. Some of that time is unavoidable — forensics, rebuild, segmentation — but a meaningful portion comes from leadership and IT having to decide during the incident which systems come back first. Our companion post on a city government ransomware recovery plan covers the restoration-order discipline that compresses that timeline.

5. Faster, clearer public disclosure

The city initially declined to confirm the incident, and only formally acknowledged it was ransomware after a follow-up statement and media inquiry.²³ We understand the reason — protecting the investigation — but for a public-sector entity, prolonged ambiguity erodes trust. California’s own 30-day breach notification timeline, formalized under SB-446 in late 2025, raises the bar further for any future incident.⁶

6. A written information security and data governance program — before the next event

This is the single biggest message from the 2025 risk assessment. The city’s most useful next step is not another product purchase. It is a written, leadership-endorsed information security policy, a data governance policy, completed access-control and data-privacy standards, and an external penetration test on a defined cadence. None of that is glamorous. All of it would shorten the next incident.

What should other municipal and mid-market IT leaders take away?

The honest takeaway for IT leaders watching this story from Stanislaus County, Merced, Stockton, Fresno, or any mid-market organization in regulated industries is:

• Assume you are a target. Snatch, LockBit, BlackSuit, and their successors have repeatedly hit small and mid-sized U.S. cities. Local government is squarely in scope.
• Tooling alone is not a program. A million dollars in new tools without a written security policy, defined data ownership, and tested processes is a partial solution.
• The 2025 risk assessment pattern is common. We see organizations across the Central Valley invest in EDR, MDR, and backup upgrades after an incident, but still lack the governance documents that would make those investments durable.
• Insurance is not a strategy. It funded part of Modesto’s recovery, but it did not put officers back in cruisers any faster. The cheapest dollar is still the one you spend on prevention and detection.

If your organization is in the middle of any of this — post-incident, post-audit, or post-renewal — that is the moment a properly scoped cybersecurity risk assessment and a written remediation plan tend to pay back fastest.

How Datapath thinks about local incidents like this

We are headquartered in Modesto. Our VP of operations and many of our engineers live and work here. We did not work on the City of Modesto incident, and nothing in this post is informed by non-public information. Everything cited is from public reporting and from the city’s own statements and risk-assessment findings.

The reason we write about it at all is because the lessons translate directly to other Central Valley organizations — school districts, healthcare groups, county agencies, financial-services firms, and mid-market businesses with 100 to 1,000 employees. The pattern is consistent: ransomware finds the gap between tooling and program. Closing that gap is what Datapath’s Accountability-as-a-Service model is designed to do.

If you are an IT leader in a public-sector or regulated environment trying to harden against the next incident, start with a conversation — or, if you want a structured place to begin, see our city government ransomware recovery plan post and CJIS incident response plan requirements guide.

Sources and further reading

• Government Technology — Cyber Incident Disrupts Modesto, Calif., Police Department
• Government Technology — Personal Data Exposed in Cyber Attack on Modesto, Calif., PD
• Government Technology — Hackers Behind Modesto PD Attack Begin Releasing Data
• Government Technology — Ransomware Attack Could Cost Modesto, Calif., $1M
• The Cyber Express — City of Modesto Cyber Attack: Snatch Ransomware Group
• California Data Protection Report — SB-446 30-Day Notification

Footnotes

1. Government Technology, “Personal Data Exposed in Cyber Attack on Modesto, Calif., PD,” https://www.govtech.com/security/personal-data-exposed-in-cyber-attack-on-modesto-calif-pd ↩ ↩² ↩³ ↩⁴

2. Government Technology, “Ransomware Attack Could Cost Modesto, Calif., $1M,” https://www.govtech.com/security/ransomware-attack-could-cost-modesto-calif-1m ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶ ↩⁷

3. Government Technology, “Hackers Behind Modesto PD Attack Begin Releasing Data,” https://www.govtech.com/security/hackers-behind-modesto-pd-attack-begin-releasing-data ↩ ↩² ↩³ ↩⁴ ↩⁵

4. Modesto Bee coverage, City of Modesto 2025 risk assessment findings, summarized via secondary reporting (information security policy, data governance, access control, penetration testing gaps). ↩ ↩²

5. Government Technology, “Cyber Incident Disrupts Modesto, Calif., Police Department,” https://www.govtech.com/security/cyber-incident-disrupts-modesto-calif-police-department ↩ ↩²

6. Norton Rose Fulbright Data Protection Report, “California tightens data breach notification timelines, imposes 30-day notice requirement,” November 2025, https://www.dataprotectionreport.com/2025/11/california-tightens-data-breach-notification-timelines-imposes-30-day-notice-requirement/ ↩