2026 Public Sector Cyber Attacks and Data Breaches

In 2026, the public sector continues to face numerous cyber attacks, with data breaches often exposing sensitive information, disrupting essential services and undermining public trust. From municipal governments to federal agencies, public sector organizations of all sizes face challenges from threat actors exploiting outdated systems, human error and expanding digital footprints. These incidents are more than isolated security failures. They highlight systemic vulnerabilities and the urgent need for stronger cybersecurity strategies across government institutions.

Continue reading to learn about some of the most notable public sector data breaches of the year so far and the lessons they reveal for organizations tasked with protecting critical data.

Federal

Two major federal-level incidents in early 2026 underscore how vulnerable even the most sensitive government systems remain. In March, the Federal Bureau of Investigation (FBI) launched an investigation into suspicious cyber activity affecting systems tied to wiretaps and surveillance warrants. Just weeks later, a credential exposure report revealed thousands of U.S. state legislators’ email addresses were on the dark web, including hundreds with plaintext passwords, dramatically expanding the risk of unauthorized access across government networks. 

FBI systems compromise 

In March 2026, the FBI disclosed that it was investigating “suspicious cyber activity” affecting internal systems used to manage highly sensitive surveillance operations, including court-authorized wiretaps.

Early reporting indicated that attackers may have gained access to a network responsible for processing and storing lawful interception requests. These systems contain sensitive investigative data, targets and communications tied to national security cases. The bureau said it had identified and contained the activity but did not disclose the full scope, including whether data was exfiltrated. While some external reporting pointed to likely China-linked actors, the FBI did not publicly confirm attribution.

U.S. legislators’ credential exposure 

In April, TechRadar reported that a recent security research report found over 3,500 U.S. legislators’ email addresses and credentials, including plaintext passwords in some cases, were exposed on the dark web. The report states:

In fact, of the 5,312 US state legislator emails searched, 3,568 were discovered in a breach. The truly scary part is that 750 email addresses also had their passwords compromised.

If Multi-Factor Authentication (MFA) isn’t in place, attackers could use these credentials to gain direct access to email accounts. Even a single compromised email account could escalate quickly, allowing an attacker to impersonate a government official and send phishing messages. The risk increases further if passwords are reused across other accounts, potentially granting access to high-level government systems and applications.

State and local government

Local municipalities and critical infrastructure providers are often targeted in cyber attacks. Here are a few examples from the first few months of 2026. 

City of Los Angeles

A massive data breach in March at the Los Angeles City Attorney’s Office compromised 7.7 terabytes of data, exposing over 337,000 files, including sensitive Los Angeles Police Department (LAPD) records. The source of the breach was unauthorized access to a third-party file-transfer system used by the City Attorney’s Office.

The stolen data includes unredacted personnel files, internal investigations and confidential witness information. Multiple reports have tied the breach to a ransomware group called World Leaks, and the group itself has claimed responsibility for the attack. However, LAPD officials have not confirmed attribution to a specific group at this time.

City of Minot, ND, water treatment plant

A water treatment plant in the city of Minot, ND, suffered a ransomware attack in March, forcing facility operators to use manual gauge readings for almost a full day before a replacement server could be installed. The attack targeted a computer server tied to its Supervisory Control and Data Acquisition (SCADA) system, which operates as an industrial control “dashboard.”

Fortunately, city officials confirmed the region’s water supply was “safe at all times” during the incident. However, the attack highlights ongoing vulnerabilities in critical infrastructure, especially smaller or rural utilities with limited cybersecurity resources. In this case, the operational impact was limited, but the city is reviewing its cybersecurity practices, including training, system design and incident response improvements.

Winona County, MN

A cyber attack struck Winona County, MN, in early April 2026, forcing officials to shut down parts of the county’s computer network to contain the incident. The disruption took key public services offline, including DMV operations and access to vital records like birth and death certificates, while emergency services continued to function normally. The county declared a local emergency and brought in state and federal assistance, including the Minnesota National Guard, to support, investigate and restore systems.

As of now, authorities have not publicly identified who was responsible for the attack. The incident is the second cybersecurity attack in Winona County in 2026. The county was also the target of a ransomware incident in January that affected its network.

Education

Cyber threats targeting K-12 schools are widespread, with ransomware and other cyber attacks affecting districts across the country.

Alamo Heights ISD

A ransomware attack hit the Alamo Heights Independent School District in Texas in March 2026, forcing the district to shut down its network and leaving students and staff without internet, email and classroom tools for a full week. The disruption significantly affected instruction and day-to-day school operations, requiring a shift to limited or offline learning while systems were restored. The district brought in outside cybersecurity experts and notified law enforcement, including the FBI, to investigate the incident. 

While systems have since been recovered, officials are still determining whether any sensitive student or staff data was accessed, raising concerns about potential data exposure and identity risks. The district has declined to say whether it paid a ransom, and no responsible group or individual has been publicly identified.

Spring Lake Park Schools, Minnesota

A school district in Minnesota faced a suspected ransomware incident in April. The technology team shut down its systems for several days to contain the threat after an unauthorized party accessed the network. Because some of the affected systems were necessary for safe school operations, the district canceled classes districtwide, along with child care, community education and after-school activities for two days. The district brought in third-party cybersecurity experts and contacted law enforcement, including the FBI, to investigate and restore services.

While classes resumed once systems were restored, the incident raised concerns about operational vulnerability and potential data exposure. Officials noted they had no evidence that personal data was compromised, and no individual or group has been publicly identified as responsible for the attack.

Protect against cyber attacks with Keeper Security

Keeper Security Government Cloud (KSGC) enables government agencies and educational institutions to secure and manage access to critical systems, including servers, web applications and databases. Keeper reduces ransomware risk by eliminating credential exposure, limiting lateral movement and controlling privileged access. KSGC meets rigorous standards, including FedRAMP High, GovRAMP High, FIPS 140-3 and ITAR, while supporting compliance with frameworks such as NIST 800-63B, CMMC, HIPAA, FISMA, DPA, FITARA, SOC and FINRA. Built-in logging, session recording and reporting tools strengthen audit readiness and compliance oversight. In addition, delegated administration and Role-Based Access Controls (RBAC) give system administrators comprehensive visibility and control over identity security and organizational risk.

Learn how Keeper can help protect your organization’s critical data. Request a demo today.