Industry: Public Sector · Updated May 2026

Public Sector Incident Cost: City Ransomware, Federal Breaches, and Election Infrastructure in 2026

Q: What is the average cost of a public sector data breach?

The IBM Cost of a Data Breach Report 2025 puts public sector at $2.70M per breach on average, the lowest of any tracked industry. The headline is misleading. Public-sector incidents are concentrated in two distinct regimes: routine breaches at small agencies that run well below the mean, and catastrophic ransomware events at cities and counties that have repeatedly cleared $17M-$70M in disclosed cost.

Q: What did Atlanta and Baltimore ransomware cost?

Atlanta March 2018 (SamSam ransomware): refused $51K ransom, total cost approximately $17M including recovery, contract emergency procurement, and replacement systems. Baltimore May 2019 (RobbinHood): refused $76K ransom, total cost approximately $18M including $10M direct response and $8.2M lost or delayed revenue. Both became foundational case studies in CISA municipal ransomware guidance and helped catalyse the 2021 push for municipal cyber-grant funding.

Q: How big was the MOVEit federal exposure?

The May-June 2023 MOVEit Transfer vulnerability (CVE-2023-34362) was exploited by Cl0p ransomware operators against thousands of organisations including dozens of US federal agencies and state-level entities. CISA, OPM, DOE, USDA, and others were affected. Aggregate downstream incident response cost across federal and state governments has been estimated at $400M+ in direct response, though precise figures are not publicly broken out by agency. The 2024 Federal Acquisition Regulation supply-chain rule changes are a direct downstream consequence.

Q: What does an election-infrastructure incident cost?

Election-infrastructure incident cost is dominated by the cost of public-trust restoration rather than the cost of the technical incident itself. Direct response cost (forensics, system replacement, voter notification) typically runs $500K-$5M for a county-level voter-registration breach. The much larger cost is the systemic spend post-incident on hand-marked paper ballots, post-election audits, and CISA Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) participation. Aggregated post-2016 spend on election security across federal grants (HAVA, EAC) and state appropriations has exceeded $1B.

Q: Why are cities and counties such frequent ransomware targets?

Three structural reasons. Limited security budgets relative to attack surface (cities and counties are small organisations with the data sensitivity of an enterprise). Highly visible operational disruption (closed permit offices, paused court systems, water-billing offline) which raises pay pressure. And geographic dispersion of similar targets which lets ransomware operators efficiently re-use a working playbook across many victims. The State and Local Cybersecurity Grant Program created in IIJA 2021 made $1B available over four years specifically to address this.

Q: What were the most expensive named public sector incidents?

OPM 2015 ($750M+ over 5+ years, 22M federal employee records). MOVEit 2023 ($400M+ aggregate across federal and state agencies). Costa Rica national Conti ransomware 2022 (~$200M+ disclosed by government). Baltimore 2019 ($18M). Atlanta 2018 ($17M). New Orleans 2019 ($7M+). Jackson County GA 2019 ($400K paid ransom). Lake City FL 2019 ($460K paid ransom). The pattern is consistent: federal incidents are huge but rare; municipal incidents are mid-tier and frequent.

$2.70M

Avg breach cost

$18M

Baltimore 2019 total

$750M+

OPM 2015 cumulative

$1B

SLCGP 2022-2025

Public sector reports the lowest IBM CODB 2025 sector average at $2.70M per breach, but the headline aggregates two very different regimes. Routine breaches at small agencies sit far below the mean, while municipal ransomware events at cities and counties have repeatedly cleared $17M-$70M in publicly disclosed cost, and federal-scale incidents (OPM 2015, MOVEit 2023, the 2020 SolarWinds federal exposure) routinely run into the hundreds of millions to over a billion. The funding response (Infrastructure Investment and Jobs Act 2021 State and Local Cybersecurity Grant Program, CIRCIA implementation, Federal Zero Trust mandate) has reshaped public-sector security spending materially since 2022.

The Municipal Ransomware Benchmark Set

City and county ransomware events became a defining cost benchmark between 2018 and 2023. The events are well documented because municipal financial reporting is public and city councils typically debate response cost openly. The pattern is consistent: refusing the ransom often costs 20-50x the ransom amount in recovery cost, while paying does not guarantee operational restoration and creates long-tail compliance risk under OFAC sanctions guidance.

Municipality	Year	Ransom Demanded	Decision	Total Cost
Atlanta, GA	Mar 2018	$51K (BTC)	Refused	~$17M
Baltimore, MD	May 2019	$76K (BTC)	Refused	~$18M
New Orleans, LA	Dec 2019	undisclosed	Refused	~$7M+
Lake City, FL	Jun 2019	$460K (BTC)	Paid	~$1.1M total
Jackson County, GA	Mar 2019	$400K (BTC)	Paid	~$700K total
Albany, NY	Mar 2019	undisclosed	Refused	~$1M direct
Suffolk County, NY	Sep 2022	undisclosed	Refused	~$25M+
Dallas, TX	May 2023	undisclosed	Refused	$8.5M+ direct
Oakland, CA	Feb 2023	undisclosed	Refused	$17M+ disclosed
Knoxville, TN	Jun 2020	undisclosed	Refused	~$700K direct

Sources: city council disclosures, post-incident audits, news reporting cross-referenced with city financial statements. Total cost figures include direct response, system replacement, and disclosed productivity loss; they exclude long-tail litigation.

The OFAC Sanctions Issue

OFAC issued advisories in October 2020 and updated guidance in September 2021 making clear that paying a ransom to a sanctioned entity (which includes many of the most prolific ransomware operators) can be a violation of the International Emergency Economic Powers Act and the Trading With the Enemy Act. Penalties reach $311K per violation or twice the value of the underlying transaction, whichever is greater. The advisory does not prohibit ransom payment outright, but it does require attribution due-diligence and creates strict-liability exposure if the operator is later determined to be sanctioned.

For municipal entities specifically, the OFAC issue is acute because city councils must approve ransom payments publicly, which forecloses the path of paying quietly. This has shifted the municipal decision toward refusing to pay (visible across the post-2020 cohort in the table above) and absorbing the much higher recovery cost. The federal preference is clear: the FBI and CISA both formally discourage ransom payment, and CIRCIA reporting requirements (effective once final rule is implemented under 6 USC 681) will require disclosure of paid ransoms, eliminating the option of quiet payment.

Federal-Scale Incidents

Federal-agency incidents operate at a different cost magnitude entirely. The cost stack includes incident response, system replacement, mandated independent forensics (often via a CISA-coordinated firm), Congressional-hearing preparation cost, Inspector General reviews, and credit-monitoring services for affected federal employees that frequently extend to lifetime monitoring for security-clearance-holders.

Incident	Year	Cumulative Cost	Notes
OPM (PII and SF-86 data)	2014-2015	$750M+	22M federal employee and applicant records; lifetime monitoring offered
SolarWinds (federal scope)	2020	undisclosed; estimated $100M+ federal-only	Treasury, Commerce, State, DHS, Energy, Justice all affected
Microsoft Storm-0558 (federal email)	2023	undisclosed	25 federal organisations affected; CSRB investigation
MOVEit Transfer (federal scope)	2023	$400M+ aggregate (federal+state)	CISA, OPM, DOE, USDA, others affected; Cl0p ransomware operator
SEC EDGAR breach	2016 (disclosed 2017)	$10M+ direct	Test filings exfiltrated; insider-trading exposure

The Funding Response

Public-sector security spending has been reshaped since 2021 by federal funding programs created in response to the municipal-ransomware wave and the federal-incident set. The most material programs:

State and Local Cybersecurity Grant Program (SLCGP). $1B over four federal fiscal years (FY22-FY25) administered by CISA. Allocations to states by formula, with 80% required to flow to local entities. Average grant per local entity has been $50K-$2M.
Tribal Cybersecurity Grant Program. $18.2M FY23 baseline, expanding annually. Tribal entities have historically been least funded and most vulnerable.
FEMA Homeland Security Grant Program. Cyber-eligible categories under SHSP and UASI; aggregate cyber spend $200M+/yr.
Federal Zero Trust Architecture mandate (OMB M-22-09). Applied to all federal civilian agencies; estimated cumulative implementation cost across CFO Act agencies $2-$5B.
CISA Cybersecurity Performance Goals (CPG). Voluntary baseline used by underwriters and contracting officers as de-facto required.

The funding has compressed but not eliminated the municipal-incident cost premium. SLCGP grants are typically applied to baseline hygiene (MFA deployment, asset inventory, EDR coverage) rather than incident-response capability. Municipal entities below a $50M annual budget remain under-resourced for credible IR capability, and 2024-2025 incident counts at small towns and rural counties have continued to climb.

Costa Rica: National-Scale Incident Cost

The April 2022 Conti ransomware attack on the Government of Costa Rica is the cleanest national-government-scale incident benchmark available. Conti exfiltrated approximately 670 GB of data from at least 27 government bodies, including the Ministry of Finance. President Rodrigo Chaves declared a national emergency. The Ministry of Finance was effectively offline for weeks; tax-collection systems, customs, and import/export workflows were disrupted. Costa Rican government estimates put direct economic cost at approximately $30M per day during the active incident, with cumulative cost above $200M over the multi-month resolution.

The Costa Rica incident is referenced regularly in CISA, ENISA, and World Bank assessments because it is the first publicly documented case of ransomware producing national-emergency-level economic disruption. It has informed subsequent OECD recommendations on ransomware-payment policy and the 2023-2024 Counter Ransomware Initiative joint statements.

Frequently Asked Questions

What is the average cost of a public sector data breach?

The IBM CODB 2025 puts public sector at $2.70M per breach on average, the lowest of any tracked industry. The headline is misleading because public-sector incidents are concentrated in two regimes: routine small-agency breaches well below the mean, and catastrophic municipal ransomware events that have repeatedly cleared $17M-$70M.

What did Atlanta and Baltimore ransomware cost?

Atlanta March 2018 (SamSam): refused $51K ransom, total cost approximately $17M. Baltimore May 2019 (RobbinHood): refused $76K ransom, total cost approximately $18M including $10M direct response and $8.2M lost revenue. Both became foundational case studies in CISA municipal ransomware guidance.

How big was the MOVEit federal exposure?

May-June 2023 MOVEit Transfer vulnerability (CVE-2023-34362) exploited by Cl0p ransomware operators against thousands of organisations including dozens of US federal agencies and state-level entities. CISA, OPM, DOE, USDA, and others were affected. Aggregate downstream cost across federal and state governments has been estimated at $400M+ in direct response.

What does an election-infrastructure incident cost?

Direct response cost (forensics, system replacement, voter notification) typically runs $500K-$5M for a county-level voter-registration breach. The much larger cost is systemic post-incident spend on hand-marked paper ballots, post-election audits, and EI-ISAC participation. Aggregated post-2016 spend on election security across federal grants and state appropriations has exceeded $1B.

Why are cities and counties such frequent ransomware targets?

Limited security budgets relative to attack surface (cities and counties have enterprise data sensitivity with small-business security spending). Highly visible operational disruption raises pay pressure. Geographic dispersion of similar targets lets ransomware operators efficiently re-use a working playbook. The State and Local Cybersecurity Grant Program created in IIJA 2021 made $1B available over four years to address this.

Are state-level incidents cheaper than federal?

On absolute cost, yes. State agency average breach cost runs $1M-$10M with rare $50M+ outliers. Federal agency breaches at large scale routinely reach $100M+. The 2015 OPM breach (22 million records of federal employees) cost approximately $750M+ over multi-year resolution. Federal incidents also have specific compliance overhead (FISMA, OMB M-22-09 zero trust, OMB M-21-31 logging) that state agencies do not bear.

What were the most expensive named public sector incidents?

OPM 2015 ($750M+ over 5+ years). MOVEit 2023 ($400M+ aggregate across federal and state). Costa Rica national Conti ransomware 2022 (~$200M+ disclosed). Baltimore 2019 ($18M). Atlanta 2018 ($17M). Suffolk County NY 2022 (~$25M+). Dallas 2023 ($8.5M+). Oakland 2023 ($17M+ disclosed).