Foster City Paralyzed by Cyberattack: What Municipal Governments Must Learn

A City Brought to Its Knees

On March 19, 2026, officials in Foster City, California detected "suspicious activity" on the city's computer network. Within hours, they were forced to take most government systems offline. Five days later, the city declared a state of emergency — and services were still down with no timeline for recovery.

For the roughly 33,000 residents of this Bay Area municipality, the impact was immediate: permit applications, utility payments, public records requests, and most routine government services ground to a halt. Only police and 911 services remained operational.

Foster City isn't an outlier. It's a warning.

How Did This Likely Happen?

While the city has not disclosed the exact attack vector, cybersecurity experts point to a familiar playbook. Jake Tarrant, an incident response manager at cybersecurity firm Logically, outlined the most probable scenarios for attacks like this.

Scenario 1: A Phishing Email That One Employee Clicked

The most likely entry point is a phishing email. A city employee — perhaps in finance, public works, or administration — receives an email that looks like it's from a trusted vendor, a colleague, or a government agency. It contains a link to a credential-harvesting page or a malicious attachment.

One click. That's all it takes.

Municipal employees process hundreds of emails a day — permit applications, vendor invoices, public inquiries, inter-departmental memos. The volume alone creates the perfect conditions for a phishing attack to slip through. Unlike private sector employees who may handle a narrow set of communications, government workers interact with the general public, making every inbound email a potential threat.

Scenario 2: An Exposed or Misconfigured Firewall

The second most likely vector is an exploited vulnerability in the city's network perimeter. Many municipalities run on aging infrastructure with firewalls and VPN appliances that haven't been patched in months — or years. Attackers actively scan for these weaknesses using automated tools.

A single unpatched firewall or an exposed Remote Desktop Protocol (RDP) port is an open door. Once through, attackers are inside the network with minimal friction.

Scenario 3: Compromised Vendor or Third-Party Access

Municipalities rely on a web of third-party vendors for everything from utility billing software to building inspection systems. If any vendor's credentials are compromised — or if their remote access isn't properly segmented — attackers can use that trust relationship as a bridge into city systems.

What Happens After the Breach

Regardless of the entry point, what follows is devastatingly fast. As Tarrant explained: "Once they're on the network, it's kind of like being inside your house — you've infiltrated those walls, you're able to pivot to different parts of the network."

Attackers locate critical servers, exfiltrate sensitive data, and encrypt systems — often within hours of gaining initial access. By the time IT teams detect the intrusion, the damage is already done. Recovery, according to Tarrant, typically takes three to six weeks for a return to normalcy.

Why Municipalities Are Prime Targets

This isn't a new trend — it's an accelerating crisis. The Department of Homeland Security allocated $375 million in 2023 specifically to help smaller governments defend against cyber threats. That funding exists because the problem is massive:

• Limited IT budgets: Most small municipalities lack dedicated cybersecurity staff. IT teams are stretched thin managing infrastructure, not hunting threats.
• Legacy systems: Government technology refresh cycles are slow. Many cities run outdated operating systems, unpatched software, and aging network equipment.
• High-value data: Municipal systems hold Social Security numbers, tax records, utility payment data, law enforcement records, and building permits — a goldmine for attackers.
• Low security awareness: Without regular training, employees don't recognize phishing emails, social engineering tactics, or suspicious network behavior.
• Public accountability: Unlike a private company that can quietly pay a ransom, cities face intense public scrutiny and political pressure to restore services, giving attackers leverage.

Oakland, California experienced a similar attack in 2023, exposing employee information and disrupting city operations for weeks. Atlanta, Baltimore, Dallas — the list of paralyzed cities grows every year.

The Human Factor Is the Weakest Link — and the Strongest Defense

Firewalls, endpoint detection, and network segmentation are essential. But the vast majority of cyberattacks begin with a human action: clicking a link, opening an attachment, entering credentials on a fake login page, or falling for a phone-based social engineering attack.

In the Foster City scenario, the most probable cause was a phishing email. This means the most impactful investment a municipality can make isn't another piece of hardware — it's training the people who use the systems every day.

You can't firewall human judgment. But you can train it.

How empowsec Helps Municipal Governments Build Resilience

empowsec is purpose-built for organizations that need to turn their workforce from a liability into a line of defense. Here's how our platform addresses the specific challenges that municipalities face.

Realistic Phishing Simulations

Generic "click here to claim your prize" tests don't prepare employees for real attacks. empowsec's phishing simulation engine lets you craft campaigns that mirror the exact threats municipal workers face:

• Fake vendor invoices targeting finance departments
• Spoofed permit application notifications for planning staff
• Impersonated IT helpdesk password reset requests
• Fraudulent inter-agency communications

When an employee clicks, they're immediately directed to targeted remedial training — not a shame-based gotcha, but a teachable moment that builds lasting awareness.

Role-Based Training Paths

A city clerk, a police dispatcher, and an IT administrator face very different threat landscapes. empowsec's training platform delivers role-specific content so every employee gets training relevant to their actual job function. Department heads and elected officials receive leadership-focused modules covering their governance and oversight responsibilities.

Automated Compliance and Reporting

Municipal governments face increasing regulatory pressure to demonstrate cybersecurity readiness. empowsec provides:

• Completion tracking: Prove every employee completed required training
• Simulation results: Document phishing click rates and improvement over time
• Department-level scorecards: Identify which departments need additional attention
• Risk scoring: Quantify your organization's human risk factor with behavioral metrics that evolve over time

When auditors, council members, or the public ask "what are we doing about cybersecurity?" — you'll have data-backed answers.

Ongoing Engagement, Not Annual Checkboxes

A once-a-year security awareness video doesn't change behavior. empowsec delivers continuous micro-training — short, interactive modules deployed throughout the year, reinforced by periodic phishing simulations. This approach is backed by research: spaced repetition and active learning reduce phishing susceptibility by up to 72% within the first 90 days.

Our platform includes interactive formats like scenario-based exercises, email simulations, and drag-and-match challenges that keep employees engaged — not just compliant.

Simple Deployment for Lean IT Teams

We know municipal IT departments are small and overextended. empowsec is designed for minimal administrative overhead:

• Automated onboarding: New hires are automatically enrolled in training based on their department
• Recurring assignments: Training renewals happen automatically on configurable cycles
• Escalation workflows: Overdue training automatically escalates to supervisors
• Managed service options: For cities that need a fully managed solution, our partner network can handle everything

The Cost of Inaction

Foster City's attack will cost the city far more than a cybersecurity program ever would. Consider the real costs:

• Incident response and forensics: Engaging independent cybersecurity specialists — typically $300-500/hour
• Service disruption: Weeks of degraded or suspended government operations
• Data breach liability: Potential exposure of resident and employee personal information
• Reputational damage: Loss of public trust in the city's ability to protect sensitive data
• Recovery and rebuilding: Three to six weeks of IT resources dedicated to restoration instead of serving residents

Compare that to the cost of security awareness training — a fraction of a single incident response engagement, deployed proactively to reduce the likelihood of an attack succeeding in the first place.

What Municipal Leaders Should Do Now

If the Foster City attack has your attention, here are three immediate steps:

1. Assess your human risk: Run a baseline phishing simulation to understand how your employees would respond to a real attack today. empowsec offers this as a starting point for every new customer.
2. Deploy role-based training: Don't send the same generic video to every employee. Tailor training to the specific threats each department faces.
3. Build a reporting culture: Employees who report suspicious emails are your early warning system. Make reporting easy, celebrated, and blame-free.

The question isn't whether your municipality will be targeted. It's whether your employees will recognize the attack when it arrives.

Foster City's experience is a stark reminder that no government is too small to be a target — and that the human element remains the most critical line of defense. Investing in your people today is the most effective way to prevent a state of emergency tomorrow.