A Bay Area city of 34,000 was brought to a near standstill in hours. The story isn’t about failure — it’s about a challenge every public-sector IT team is navigating right now.
According to SFGate, The Daily Journal, and Foster City’s website, on the morning of March 19, 2026, IT staff at the City of Foster City, California, discovered ransomware on the city’s networks. By the time most residents woke up, nearly every non-emergency public service had been paused. City Hall went quiet. Employees shifted to working from home. The City Manager’s Office declared a state of emergency. Independent cybersecurity specialists were brought in.
Emergency services — 911, police dispatch — remained fully operational. That detail matters. The city’s IT team made a fast call to contain the damage and protect life-safety systems first. That’s not negligence. That’s incident response working exactly as it should under enormous pressure.
What happened in Foster City is not an isolated incident, and it is not a story about a city that fell behind. It is a story about the structural complexity every municipal IT team faces — and why the organizations getting ahead of it now are setting the standard for public-sector resilience.
Officials have been appropriately measured in what they’ve shared publicly — investigation details are limited by design. What is clear is that the attack was ransomware, the blast radius was significant across city services, and the city moved quickly to bring in outside expertise.
Foster City joins a pattern that California’s municipalities know well. Oakland was hit by ransomware in 2023, with personal data of employees and residents ultimately exposed. Hayward followed months later, with its city network offline for two weeks. St. Helena experienced a similar incident in 2024. Just days after Foster City’s breach, LA Metro reported that its security team had discovered unauthorized activity on internal administrative systems.
Ransomware gangs are not randomly targeting government networks. Municipal and public-sector systems are specifically attractive because they often operate legacy infrastructure, manage personally identifiable information, and — critically — carry enormous public pressure to restore services quickly. That urgency is leverage attackers count on.
Municipal IT teams aren’t underfunded and overwhelmed because they don’t care about security. They’re navigating one of the most structurally complex environments in any sector — legacy systems, OT networks, regulatory obligations, and community accountability — with constrained resources and very little room for error.
To understand why municipal networks are challenging to defend, it helps to understand what those networks actually contain. Modern city infrastructure is not just email servers and workstations. It includes operational technology — traffic management systems, public works controls, building management, surveillance and dispatch systems. These OT environments were often built before cybersecurity was a design consideration, and they sit in the same network environment as administrative IT systems.
When IT and OT networks converge without proper segmentation, the blast radius of any breach grows fast. A compromised endpoint in the finance department can, in the wrong architecture, reach systems it should never touch. This is the structural risk that Zero Trust architecture is specifically designed to contain — not by assuming the perimeter will hold, but by ensuring that even when something gets in, it cannot move laterally across the environment.
That principle — limiting the blast radius — is the most important architectural concept for any organization that can’t afford to have its entire network go dark at once.
The cities that weather these events best aren’t the ones with the biggest IT budgets. They’re the ones that have built operational resilience as a deliberate strategy. That means a few specific things.
It means knowing exactly who has access to critical systems and from which devices — and regularly reviewing that access so stale credentials and over-provisioned accounts aren’t lying dormant waiting to be exploited. It means having your environment segmented so that a ransomware payload that gets onto one system cannot freely propagate across the network. It means having 24/7 monitoring with a team that can detect anomalous behavior before it becomes a city-wide outage. And it means having documented, practiced response procedures — so when something happens at 3 a.m. on a Thursday, the team knows exactly what to do in the first thirty minutes.
None of this eliminates risk entirely. But it changes the outcome. The difference between a contained incident and a state of emergency often comes down to architecture and preparation built months or years before the attack occurred.
The IT professionals at Foster City — and at every other city navigating a breach this week — are doing extraordinarily difficult work under intense public pressure. They serve communities that depend on them. They are working around the clock with outside specialists to restore systems, protect data, and keep essential services running. That deserves acknowledgment, not criticism.
The goal for every public-sector IT leader is to reach a security posture where this kind of event becomes far less likely, and far less damaging when it does occur. That’s a journey, not a switch — and the organizations making progress on it are doing so by building the right architecture, the right partnerships, and the right culture of resilience over time.
AllConnected works with cities, water districts, municipalities, and public-sector organizations across Ventura and North Los Angeles Counties to build the operational resilience and security posture that communities depend on.
If your organization is working to align with CISA’s Cybersecurity Performance Goals 2.0, implement a Zero Trust Architecture (NIST SP 800-207), or build a cybersecurity program around the NIST Cybersecurity Framework 2.0 — these are exactly the conversations we’re built for. We help public-sector teams translate framework requirements into practical, operational security programs that work within real-world resource constraints.
No pressure. No pitch. Just a direct conversation with people who understand this environment.