Seven-Month Silence: Inman, SC Reveals June Cyber Attack as Municipal Breaches Surge

Breached Company

20 Jan 2026 — 10 min read

The City of Inman, South Carolina, confirmed on January 9, 2026, that it was the victim of a cyber attack—an incident that occurred seven months earlier in June 2025. The delayed disclosure raises critical questions about municipal breach notification practices and the growing vulnerability of small-city government infrastructure.

The Delayed Disclosure

City officials declined to provide specifics about the incident, citing an ongoing investigation by the Spartanburg County Sheriff's Office and FBI Cyber Crimes division. When pressed about financial losses, the city administrator stated: "Because this is an open case we are not able to make additional comments."

This seven-month gap between the June 2025 attack and January 2026 public disclosure highlights a troubling pattern in municipal cybersecurity incidents. While private companies face strict SEC disclosure requirements mandating notification within four business days of determining an incident is material, municipalities operate under a patchwork of state-level breach notification laws with varying timelines and thresholds.

Why Municipalities Delay Disclosure

Unlike publicly-traded corporations governed by SEC regulations, municipalities face different pressures when deciding when—and how—to disclose cyber incidents:

Investigative Concerns: Law enforcement often requests delayed disclosure to avoid tipping off attackers or compromising ongoing investigations. The involvement of FBI Cyber Crimes suggests this may be a factor in Inman's case.

Forensic Complexity: Small municipalities rarely have in-house cybersecurity expertise. The investigation process—determining what data was accessed, whether ransomware was deployed, and assessing the full scope of the breach—can take months with external forensic teams.

Legal Liability: Premature disclosure before fully understanding the incident can expose municipalities to additional legal risk. City attorneys often advise caution until the full picture emerges.

Political Considerations: Municipal leaders face electoral pressure and public confidence issues that can influence disclosure timing, particularly when financial losses are involved.

Resource Constraints: Unlike Fortune 500 companies with dedicated incident response teams, small cities like Inman (population ~50,000) typically lack the infrastructure for rapid breach assessment and public communication.

The Municipal Cyber Attack Epidemic

Inman joins a growing list of municipalities hit by cyber attacks in 2025. The trend is alarming, with cities and towns across America facing an unprecedented wave of ransomware operations:

St. Paul, Minnesota declared a state of emergency in July 2025 following a ransomware attack by the Interlock group that crippled city systems. Attackers gained access around July 20 through a backdoor enabling remote access trojan deployment, leading to data exfiltration and encryption.

Summerville, South Carolina (just 25 miles from Charleston) suffered a ransomware attack in July 2024 that raised questions about data compromise despite initial assurances. The town, home to roughly 50,000 people, brought in the South Carolina Critical Infrastructure Cybersecurity Task Force, SLED Computer Crimes, FBI, and SC National Guard.

Spartanburg County itself (where Inman is located) dealt with a ransomware attack in April 2023 that limited IT and phone systems, forcing the county to provide alternative contact numbers for local government agencies.

City of Mundelein, Illinois began notifying victims in January 2025 of a data breach that compromised medical, health insurance, and financial account information. Medusa ransomware group claimed responsibility, initially demanding $400,000, later reduced to $250,000.

City of Attleboro, Massachusetts became another victim in November 2025, with cyberattacks crippling IT systems, knocking offline city and police phone lines, and forcing staff to revert to manual, paper-based procedures. The attack was part of what experts described as one of the most devastating periods for municipal cybersecurity in U.S. history.

The problem extends beyond U.S. borders. Multiple London borough councils were hit by coordinated cyber attacks in November 2024, raising serious questions about the security of shared IT infrastructure in local government worldwide.

Why Municipalities Are Prime Targets

Bruce Smalley, Director of the South Carolina Critical Infrastructure Cybersecurity Program (SC CIC), explains that "local governments like city and county offices are most at risk of being hacked." Several factors make municipalities particularly vulnerable:

1. Legacy Infrastructure

Many municipalities run decades-old systems with known vulnerabilities. Budget constraints make modernization difficult, leaving critical systems exposed to well-documented exploits.

2. Limited Cybersecurity Budgets

Small cities typically allocate minimal resources to cybersecurity. While SC CIC operates on just $850,000 annually (though Smalley estimates it has saved taxpayers $15-20 million), most individual municipalities have far less—often just part of one IT staff member's responsibilities.

3. High-Value Targets

Municipal systems contain treasure troves of sensitive data: Social Security numbers, financial information, law enforcement records, property data, and utility information. The 2012 South Carolina Department of Revenue breach exposed 3.6 million Social Security numbers, demonstrating the scale of potential data compromise.

4. Operational Pressure to Pay

Unlike corporations that can sometimes weather operational disruptions, municipalities provide essential services—water, emergency services, permitting, payroll. This creates enormous pressure to pay ransoms quickly to restore services, making them attractive targets for ransomware operators.

5. Phishing Susceptibility

According to Smalley, many attacks are "essentially drive-by that is related to phishing that is delivered to millions of email boxes." Municipal employees often lack regular cybersecurity training, making them vulnerable to credential theft and initial access attacks.

The 2025 Ransomware Landscape

The Inman attack occurred during an unprecedented surge in ransomware activity. Key trends from 2025:

Record Attack Volumes: GuidePoint Security tracked 2,287 unique victims in Q4 2025 alone—the largest quarterly victim count on record. The year ended with 7,515 claimed victims, averaging 145 new victims added to dark web data leak sites every week.

Ecosystem Fragmentation: Following law enforcement disruptions of major ransomware-as-a-service (RaaS) operations like RansomHub in April 2025, the landscape fragmented dramatically. By Q3 2025, 85 active data leak sites were tracked, with 47 groups publishing fewer than ten victims—indicating a surge in smaller, independent operators. Major groups like Clop continue to operate sophisticated campaigns, but the RaaS model has evolved into a more decentralized threat landscape.

Double Extortion Dominance: Modern ransomware attacks don't just encrypt data; they exfiltrate it first. Attackers threaten to publish stolen data if ransom isn't paid, even if victims have backups. This explains the FBI's involvement in Inman's case—data exfiltration creates both privacy breach obligations and potential federal crimes.

Declining Payment Rates: Despite increased attack volumes, ransom payment rates plummeted to 23-25% in 2025, forcing threat actors to adapt tactics. Some now target individual victims within breached organizations (as seen in the PowerSchool incident affecting multiple school districts).

Attack Vector Analysis

While Inman hasn't disclosed technical details, typical municipal attack vectors in 2025 include:

Compromised Credentials (23-25% of incidents): Automated brute-forcing of VPNs, firewalls, and remote desktop services. Groups like Black Basta, RansomHub, and DragonForce increasingly rely on stolen or weakly secured credentials.

Exploited Vulnerabilities (~29% of incidents): Rapid exploitation of newly disclosed vulnerabilities, particularly in:

FortiGate firewalls (CVE-2024-21762, CVE-2024-55591)
Microsoft Exchange servers
Unpatched VPN appliances
Legacy systems with known vulnerabilities

Phishing Campaigns: The most common initial access method for municipal targets. Sophisticated campaigns use social engineering to deliver credential-stealing malware or establish initial footholds for lateral movement.

South Carolina's Cyber Response Infrastructure

Inman benefits from South Carolina's relatively robust state-level cybersecurity support:

SC Critical Infrastructure Cybersecurity (SC CIC) Program: Operating within SLED since 2019, SC CIC provides:

Cyber monitoring services
Incident response assistance
Tabletop exercises
Security assessments
Free incident response services to qualifying organizations

125th Cyber Protection Battalion: South Carolina is one of only five states with a dedicated cyber-focused Army National Guard battalion, capable of deploying for incident response.

Multi-Agency Response: The Inman investigation involves Spartanburg County Sheriff's Office, FBI Cyber Crimes, and likely SC CIC—demonstrating the state's coordinated approach to municipal incidents.

Lessons for Other Municipalities

The Inman incident offers critical lessons for small cities nationwide:

Immediate Actions

Establish FBI Relationships Now: Don't wait for an incident. The FBI recommends municipalities establish relationships with local field office cyber squads before attacks occur. This facilitates faster response and better investigation outcomes.
Implement Offline Backups: Regular, tested, offline backups are the single most effective ransomware defense. Many municipalities back up to network-attached storage—which gets encrypted along with production systems.
Segment Networks: Critical systems should be isolated from general networks. A compromised workstation in the parks department shouldn't lead to encrypted police systems.
Mandatory MFA Everywhere: Multi-factor authentication on all remote access points, VPNs, and administrative accounts dramatically reduces credential stuffing success rates.
Regular Phishing Training: Since phishing remains the primary attack vector, regular employee training with simulated attacks is essential. Make it engaging, not punitive.

Longer-Term Investments

Patch Management Discipline: Establish and follow rigorous patch management procedures, prioritizing internet-facing systems and known-exploited vulnerabilities. The Qilin group's FortiGate exploitation demonstrates how quickly attackers weaponize disclosed vulnerabilities.
Tabletop Exercises: Regularly practice incident response procedures. Who makes the decision to take systems offline? Who communicates with the public? What's the media strategy? These decisions shouldn't be made for the first time during an actual incident.
Cyber Insurance Evaluation: Understand what cyber insurance actually covers. Many policies exclude social engineering attacks or have stringent security control requirements. Review policies annually as the threat landscape evolves.
Vendor Risk Management: Third-party vendors often have broad access to municipal systems. The PowerSchool breach affecting South Carolina Department of Education demonstrates supply chain vulnerability, as does the massive Conduent breach that compromised over 10.5 million Americans through government contractor systems.
State Resource Utilization: Most states offer free or low-cost cybersecurity services to municipalities. South Carolina's SC CIC is exemplary, but similar programs exist nationwide. Use them.

The Disclosure Dilemma

Inman's seven-month silence before disclosure highlights the complex balance municipalities face. Unlike corporations with clear regulatory frameworks, cities must navigate a complex web of state-level breach notification requirements:

State breach notification laws with varying triggers and timelines (South Carolina's specific requirements can be checked using this breach notification tracker)
Law enforcement investigation needs that may require confidentiality
Public trust considerations balanced against operational security
Legal liability concerns about premature or incomplete disclosure
Resource constraints limiting forensic investigation speed

There's no easy answer, but transparency generally serves the public interest. Residents deserve to know when their personal information may be compromised, even if full details remain unclear. A basic framework might include:

Initial Notice: Acknowledge the incident publicly within 30 days, even if details are limited
Regular Updates: Provide status updates every 30-60 days during investigation
Final Report: Issue comprehensive summary once investigation concludes
Lessons Learned: Share technical details (where appropriate) to help other municipalities

The FBI's Role

The involvement of "FBI Cypher Crimes" (likely FBI Cyber Division) in Inman's investigation suggests several possibilities. The FBI has been increasingly active in disrupting ransomware operations throughout 2025:

Data Exfiltration: If attackers stole data containing personally identifiable information across state lines, federal jurisdiction applies. The FBI investigates data breach cases involving federal law violations, with the Internet Crime Complaint Center (IC3) serving as the primary hub for cyber incident reporting.

Ransomware Attribution: The FBI works to attribute attacks to specific threat actors and track ransom payments through cryptocurrency. Even if Inman doesn't publicly confirm ransomware, FBI involvement suggests it's likely.

Pattern Recognition: The FBI may see connections between Inman's incident and other attacks—similar tactics, infrastructure, or threat actors. This intelligence sharing helps prevent future incidents.

Recovery Assistance: The FBI sometimes possesses decryption keys for certain ransomware variants or can facilitate negotiation with threat actors (though paying ransoms isn't recommended).

The Financial Question

The city administrator's refusal to comment on financial losses is telling. Possibilities include:

Ransom Payment: If the city paid a ransom, disclosure could invite additional attacks or public backlash
Recovery Costs: Forensic investigation, system remediation, legal fees, and notification costs often exceed initial ransom demands
Insurance Complications: Ongoing insurance claims may preclude public disclosure of losses
Litigation Concerns: Potential class-action lawsuits from affected residents make financial disclosure legally risky

The average ransomware recovery cost in 2025 approached $4.5 million for mid-sized organizations, though municipal costs vary widely based on scope and existing cybersecurity maturity.

Moving Forward

Inman's experience reflects the new reality for municipalities nationwide. The ransomware epidemic shows no signs of abating, and small cities remain attractive targets due to limited defenses, valuable data, and operational pressure to restore services quickly.

The seven-month disclosure delay, while potentially justified by investigative needs, highlights the need for clearer municipal breach notification standards. Residents deserve timely information about threats to their personal data, even when full incident details remain unclear.

For other municipalities, Inman's incident serves as a wake-up call. Cyber attacks on small cities aren't hypothetical—they're happening weekly across America. The question isn't whether an attack will occur, but when, and whether the municipality will be prepared to respond, recover, and communicate effectively.

Bruce Smalley's assessment bears repeating: local governments are "most at risk of being hacked." With ransomware attacks up 58% in 2025 and 145 new victims appearing weekly on dark web leak sites, every municipality should ask: Are we next? And if so, are we ready?

Recommendations for Inman Residents

If you're an Inman resident concerned about this incident:

Monitor Financial Accounts: Watch for unusual activity on bank accounts, credit cards, and financial statements
Consider Credit Monitoring: Many breach victims receive free credit monitoring services—watch for notification letters
Enable Fraud Alerts: Place fraud alerts with credit bureaus (Equifax, Experian, TransUnion)
Review Credit Reports: Check for unauthorized accounts or inquiries
Be Wary of Phishing: Breached data often leads to targeted phishing campaigns claiming to be from the city
Stay Informed: Monitor city communications for updates as the investigation progresses

Conclusion

The Inman cyber attack represents more than one small city's security failure—it's a symptom of systemic vulnerability in municipal cybersecurity infrastructure nationwide. As attacks surge and threat actors fragment into smaller, more agile groups, cities need coordinated federal, state, and local responses.

South Carolina's investment in SC CIC and the 125th Cyber Protection Battalion provides a model other states should emulate. But ultimate responsibility rests with individual municipalities to prioritize cybersecurity, even amid competing budget pressures.

For the cybersecurity community, Inman's experience reinforces a critical mission: helping under-resourced organizations defend against well-funded, sophisticated threat actors. Whether through pro bono consulting, knowledge sharing, or advocacy for better funding, we all have a role in protecting our communities from cyber threats.

The seven-month silence is over for Inman. The investigation continues, and residents await answers about what data was compromised and what the city is doing to prevent future incidents. One thing is certain: they won't be the last small city to face this challenge.

Sources: FOX Carolina, The Record, StateScoop, SC CIC, FBI guidelines, GuidePoint Security Research and Intelligence Team, Check Point Research, various cybersecurity news outlets.

For municipalities seeking cybersecurity assistance, contact your state's critical infrastructure protection program or local FBI field office cyber squad.