The group behind the cyberattack on St. Paul has claimed to have posted online 43 gigabytes of data stolen from the city's systems, Mayor Melvin Carter said Monday evening. 

IT workers were first made aware of "suspicious activity" on July 25 and moved systems offline shortly after to minimize damage, the city said. Carter said Monday that the U.S. Cybersecurity and Infrastructure Security Agency posted an advisory three days before the breach about the group responsible.  

"The advisory describes a sophisticated, money-driven organization known for stealing and selling massive volumes of sensitive information from large corporations, hospitals and governments," he said. "Operations that have resulted in stolen data measured in the terabytes."

The files posted "appear to come largely from a single shared network drive" used by the Parks and Recreation Department, and are "varied and unsystematic," according to Carter.

"They include everything from work documents, copies of IDs submitted for HR or travel or even personal items like recipes," he said.   

The city allegedly posts more than 153 terabytes of data on its servers.

"In other breaches by this group, they have stolen and sold terabytes, thousands of gigabytes from a single victim," Carter said. 

The group demanded a ransom, according to Carter, which the city did not pay.  

The city is offering 12 months of free credit monitoring and identity theft protection insurance to every full-time, part-time and seasonal employee, regardless of whether their data was breached.

Officials have also installed "advanced security software" on 90% of all city devices.

Cybersecurity expert Paul Keener says this kind of organized crime is the new normal, maybe even easier with artificial intelligence. 

"As long as there's money and there's opportunity, they're going to do that," Keener said.

Since the attack, residents haven't been able to use Wi-Fi at public libraries or pay their water bills online. Some city phones connected through the internet were also impacted.

Carter said in an interview with WCCO on Sunday that around 3,500 city workers are getting their devices checked and passwords reset in what officials are calling "Operation Secure Saint Paul." 

As of Monday evening, over 2,000 of those employees have already been through the process. The operation is expected to run through Tuesday.  

St. Paul declared a state of emergency after learning of the incident, and Gov. Tim Walz deployed the National Guard's cyber team to assist. The FBI said in a statement to WCCO that it was lending its "investigative expertise" to city officials.     

Amid the attack, the city has warned residents to be on the lookout for fraudulent invoices, advising them not to click on any suspicious links or email attachments.