The city of Sandstone, Minnesota this week notified residents of an April 2026 data breach that compromised the following personal info:
- Names
- Social Security numbers
- Financial account numbers and routing numbers
- Addresses
- Dates of birth
A cybercriminal group called Qilin took credit for the breach on May 4, 2026. Qilin is a high-profile ransomware gang responsible for hundreds of attacks in the past few years.
Sandstone officials cited ransomware as the cause of the breach but have not acknowledged Qilin’s claim. We do not know how many people the city notified, if the city paid a ransom, how much Qilin demanded, or how attackers breached the city’s network. Read the city’s full statement in response to Comparitech’s request for comment at the bottom of this article.
“On or about April 8, 2026, the City discovered disruptions to our computer systems. We quickly determined we were the victim of a ransomware incident,” says the city’s notice (PDF) to victims.
“Due to the nature of ransomware, it is possible that private data may have been accessed by the perpetrators of the incident.”
Sandstone is offering breach victims free credit monitoring. To enroll, send an email to monitoring@sandstonemn.gov.
Who is Qilin?
Qilin is a ransomware gang that began claiming responsibility for attacks on its data leak site in late 2022. Based in Russia, Qilin mainly targets organizations with phishing emails to spread its ransomware. The group runs a ransomware-as-a-service business in which affiliates pay to use Qilin’s malware to launch attacks and collect ransoms.
In 2026 to date, Qilin has claimed responsibility for 557 ransomware attacks. Of those, 46 were confirmed by the organizations targeted.
Eight of Qilin’s confirmed attacks this year hit government entities. Three of them were in the USA:
- Tulsa International Airport reported a January 2026 data breach
- The city of Seal Beach and the Seal Beach Police Department reported a March 2026 data breach
- Rusk County, WI reported a March 2026 data breach
Ransomware attacks on US government
Comparitech researchers have logged 22 confirmed ransomware attacks on US government entities in 2026 to date. We confirmed the following attacks in April:
- Winona County, MN reported a data breach claimed by Interlock
- Kent District Library in Michigan reported a data breach claimed by Interlock
- Ardmore, OK reported attackers demanded $300,000 in ransom after a data breach
- Adams County, MS refused to pay a ransom following a data breach
- Harrison County Commission in West Virginia reported a data breach claimed by SafePay
In addition to the breach listed above, Winona County also notified 6,196 people about a separate data breach in January 2026.
Ransomware attacks on government entities can both steal data and lock down computer systems. They can disrupt any number of government systems from bill payments to court records and even emergency dispatch. Governments must pay a ransom for the stolen data and to restore systems, or else they face extended downtime, permanent data loss, and putting data subjects at increased risk of fraud.
About Sandstone, Minnesota
Sandstone is home to about 2,500 people in Pine County, Minnesota.
In response to Comparitech’s request for comment, Sandstone city administrator Kathy George gave the following statement:
The City of Sandstone continues to respond to the recent cybersecurity incident affecting our organization. With the support of external cybersecurity professionals and law enforcement partners, our investigation remains ongoing.
While we do not currently have evidence that personal information is being misused, we recognize the concern incidents like this can create for employees, residents, and others in our community. Out of an abundance of caution, we are making free credit monitoring and identity protection services available to any concerned residents who would like to enroll.
Additional information about enrollment and available resources will be shared directly and posted on our website.
We remain committed to transparency and will continue providing updates as more information becomes available.