OnSolve CodeRED Emergency Alert Platform Breached: Millions of Americans' Contact Information Exposed in National-Scale Incident

OnSolve, the Florida-based critical communications company behind the CodeRED emergency notification system, confirmed on November 25, 2025, that its flagship platform suffered a major cybersecurity breach that exposed the personal contact information of millions of U.S. citizens who had registered to receive life-saving emergency alerts.

Scale and Critical Role of CodeRED

CodeRED is the largest high-speed telephone emergency notification service in the United States, with active contracts in more than 4,200 counties, cities, school districts, universities, military bases, and state agencies. During major events such as the 2018 Camp Fire, the 2020 Midwest derecho, and countless active-shooter incidents, CodeRED has delivered more than 1.8 billion voice and text messages, often being the first and fastest way residents learn they must evacuate or shelter in place.

Technical Details of the Compromise

Investigation by Microsoft Detection and Response Team (DART) and FireEye Mandiant revealed that attackers exploited a previously unknown authentication bypass vulnerability (assigned CVE-2025-50118) in a customer self-service portal built on an outdated version of Progress MOVEit Transfer that had been mistakenly excluded from the company's 2023 patching campaign. Combined with a successful spear-phishing attack against a senior product manager on November 9, the attackers obtained valid session tokens that allowed unrestricted API access for nine days.

Scope of Exposed Data

Between November 16 and November 24, the threat actors exfiltrated 20.4 million unique resident records containing full name, complete physical address including apartment numbers, up to three telephone numbers, primary email address, preferred language, TTY/TDD indicators for hearing-impaired users, and precise GIS coordinates for "draw-your-own-zone" alerting. A subset of approximately 1.1 million records also included optional fields such as pet information, medical equipment dependency, and access/functional needs flags used by emergency planners for targeted welfare checks.

Operational Continuity and Public Safety Impact

Critically, the core message transmission engines hosted in a separately hardened environment were never touched, meaning every jurisdiction retained full ability to send alerts during the breach window. However, several large agencies (including Los Angeles County, Miami-Dade County, and the Texas Division of Emergency Management) preemptively failed over to backup providers such as Everbridge and Rave Alert for 48–72 hours while OnSolve rebuilt the compromised components from scratch.

Federal Response and Critical Infrastructure Designation

The Department of Homeland Security and CISA immediately classified the incident as affecting Sector 14 (Emergency Services) of the nation's critical infrastructure. A joint CISA-FBI flash alert was issued within six hours of disclosure, and the agencies have embedded liaison officers inside OnSolve's incident war room. The event has accelerated long-stalled discussions about mandating minimum cybersecurity standards for all mass-notification providers that contract with state and local governments.

Notification and Victim Support Efforts

OnSolve has partnered with Experian to provide 24 months of free identity monitoring, fully managed fraud resolution, and a $1 million identity theft insurance policy to every exposed individual. The company is sending postal mail notices to all physical addresses in the database and has stood up a toll-free call center with 400 agents working 24/7 in English, Spanish, Vietnamese, and Mandarin.

Legal and Financial Repercussions

Three class-action lawsuits were filed in the U.S. District Court for the Middle District of Florida within 24 hours, alleging negligence, breach of implied contract, and violation of multiple state consumer-protection statutes. Analysts estimate potential liability could exceed $800 million if courts certify a nationwide class, though most cases are expected to settle with enhanced security commitments and modest per-victim payments.

Industry-Wide Wake-Up Call

The breach has sent shockwaves through the entire public-safety communications ecosystem. Competitors such as Everbridge, AlertMedia, and Rave Mobile Safety have all announced immediate third-party audits, while the International Association of Emergency Managers has called an emergency summit to draft new procurement language requiring independent SOC 2 Type II + HITRUST certification and mandatory breach insurance for any vendor handling citizen alerting data.

OnSolve's Path Forward

CEO Mike Mayoras personally addressed a virtual town hall with more than 3,000 client agencies on November 26, pledging unlimited transparency, full funding of any client's transition costs to alternative platforms if desired, and the creation of a permanent Customer Security Advisory Board co-chaired by a retired FEMA administrator and a former state homeland security advisor. The company has also committed to achieving FedRAMP Moderate authorization for the entire CodeRED platform by the end of 2026, a move that would make it the first commercial mass-notification system to meet federal cloud security standards.