DeKalb County, Indiana Data Breach: A 35-Day Intrusion, a Six-Month Silence, and What It Means for Local Government Cybersecurity

On March 7, 2026, the DeKalb County Board of County Commissioners in northeast Indiana publicly disclosed that an unauthorized individual had been inside the county's network for more than a month, potentially copying the names, Social Security numbers, driver's license numbers, and financial account information of an undisclosed number of residents. The breach itself occurred between August 21 and September 25, 2025. The public notification came approximately 164 days later.

DeKalb County is a rural county in northeast Indiana with a population of roughly 43,265 according to the 2020 U.S. Census. Its county seat is Auburn, and it sits north of Fort Wayne, about 150 miles from Indianapolis. It is not a large metropolitan area with a massive IT department and multimillion-dollar cybersecurity budgets. It is exactly the kind of local government entity that threat actors increasingly target—and exactly the kind of entity that is being left more vulnerable as federal cybersecurity support programs are scaled back.

This article examines the full timeline of the DeKalb County breach, the data that was exposed, the specific adversarial techniques the attack pattern suggests, the legal framework governing Indiana's breach notification requirements, the broader context of local government cyberattacks in 2025, and the specific federal policy changes that are compounding the problem. It also asks the questions the official notice does not answer—and proposes solutions that go deeper than the standard advice.

What Happened: The Attack Timeline

According to reporting from WOWO News at the time of the incident, the cyberattack was first detected on the morning of Thursday, September 25, 2025, when members of the DeKalb County Information Technology Department discovered that county staff were unable to log into their workstations. Internal systems and workstations across multiple county departments were affected.

The IT Director immediately notified Jason Meek, Director of Emergency Management, who coordinated what county officials described as a rapid inter-agency response. County Commissioners, the County Attorney, the Auditor, IT staff, and Emergency Management personnel began working with external cybersecurity contractors the same day to assess the scope of the intrusion and begin recovery operations.

In a joint statement reported by WOWO News, county officials stated that their top priority was keeping services running while protecting sensitive information, and that the incident was being treated with the highest urgency.

Emergency services were not disrupted. The DeKalb County 911 Central Communications Center remained fully operational throughout the incident, and public safety dispatch for police, fire, and EMS continued without interruption. However, county phone lines and internal government systems took considerably longer to restore. As of late September 2025, officials had not provided a timeline for full recovery.

The subsequent investigation—the results of which were disclosed in March 2026—determined that the unauthorized access began well before detection, on August 21, 2025. This means the attacker had access to the county's network for approximately 35 days before the breach was identified.

That 35-day gap between initial compromise and detection is not a footnote. It is the central operational fact of this incident. An attacker inside a network for five weeks has time to do a great deal more than read files. They can map the environment, escalate privileges, move laterally across departments, identify the highest-value data stores, and exfiltrate data at a pace designed to evade detection thresholds. Whether any of that occurred in DeKalb County has not been publicly confirmed, but the window was open long enough for all of it.

What Data Was Exposed

According to the notice posted on the county's website and reported by WTHR, the information that may have been copied by the unauthorized individual includes a person's name in combination with one or more of the following data elements: Social Security number, driver's license number or state identification card number, and financial account number.

Officials stated that the specific information affected varies from person to person. The county has not disclosed how many individuals were impacted. This is a significant detail—under Indiana law, if more than 1,000 residents are notified, the breached entity must also notify all nationwide consumer reporting agencies.

The county has not publicly attributed the attack to a specific threat actor or ransomware group. It has not disclosed whether a ransom was demanded, whether any payment was made, or whether the exfiltrated data has appeared on any leak sites. The official language—"may have been copied"—suggests the investigation could not definitively confirm or rule out data exfiltration, which is common in incidents where forensic evidence is incomplete or where the attacker covered their tracks.

This ambiguity raises a question the official notice does not address: if exfiltration could not be confirmed, what standard of evidence did the county use to conclude notification was warranted? Indiana law requires notification when a breach "results in" or "could result in" identity theft or fraud. Acting on the "could result in" standard is the responsible call, but it leaves residents without actionable certainty about whether their data is actively in criminal hands or simply at theoretical risk.

The Attack Through a MITRE ATT&CK Lens

No official technical attribution has been published for the DeKalb County incident. The county has not confirmed the attack vector, whether ransomware was deployed, or what specific tools the attacker used. What is known—a 35-day dwell time, inability of employees to log in at the moment of detection, and the apparent exfiltration of sensitive data—is consistent with a class of attacks that map to well-documented adversary behavior in the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a globally referenced knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. It is widely used by security teams, incident responders, and government agencies to classify and communicate attack patterns. Mapping an incident to ATT&CK does not require confirming specific tools—it requires examining what the attacker needed to accomplish and which techniques are consistent with the observed evidence.

The significance of this mapping is not academic. It directly informs what defensive controls would have mattered most and at which stage. An attacker who spends 35 days in a network undetected is, by definition, operating in an environment where detection controls are absent or insufficient at the persistence, lateral movement, and discovery phases. The failure point is not the perimeter—it is everything that happens after initial access is established.

This is precisely why dwell time is a primary metric in evaluating an organization's security posture. The industry benchmark for mean time to detect (MTTD) an intrusion has improved significantly over the past decade, but rural local governments with limited monitoring capability remain outliers. A 35-day dwell time is concerning but, as this article discusses below, is not unusual for entities in this resource category.

The Notification Gap: 164 Days of Silence

One of the defining aspects of this incident is the length of time between detection and public disclosure. The breach was detected on September 25, 2025. The public notification was issued on March 7, 2026. That is approximately 164 days—nearly five and a half months.

During those 164 days, affected residents had no way of knowing that their Social Security numbers, driver's license numbers, and financial account information may have been in the hands of an unauthorized party. They could not take protective action—credit freezes, fraud alerts, account monitoring—because they did not know there was a reason to.

There are legitimate reasons why breach notifications take time. Forensic investigations must determine the scope of the compromise. Legal counsel must review notification requirements. The breached entity may need to set up call centers and credit monitoring services before going public. In some cases, law enforcement requests a delay to avoid compromising an active investigation. Indiana law explicitly allows for delayed notification if law enforcement or the Attorney General determines that disclosure would impede a criminal or civil investigation, or jeopardize national security.

Still, 164 days is a long time. For comparison, Indiana's breach notification statute requires that notification be made "without unreasonable delay but not more than 45 days after the discovery of the breach." That 45-day clock does come with a significant qualification: it runs from the date the entity discovers the breach, "consistent with measures necessary to restore the integrity of the system or necessary to discover the scope of the breach." This language gives entities substantial leeway.

Delayed notification following a breach is not unique to local government — the Ericsson data breach saw a vendor wait six months before informing the company that 15,661 employees had been exposed. A question the official notice leaves entirely unanswered is what happened during those 164 days that specifically required silence. Was there an active criminal investigation with a formal law enforcement hold on notification? If so, which agency was leading it, and has that investigation concluded? Were there technical reasons the scope of the breach could not be determined sooner? Did the delay benefit residents in any demonstrable way? None of this is addressed in the public statement, and residents have no mechanism to demand it.

Indiana's Breach Notification Law and How It Applies

Indiana's data breach notification statute (Indiana Code § 24-4.9) has been in effect since July 1, 2006. It defines a security breach as an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.

Under this statute, personal information is defined as an individual's Social Security number, or a person's name combined with any of the following: driver's license number, state identification card number, credit card number, financial account number, or debit card number combined with a required security code. The DeKalb County breach hits all of these categories.

The law requires the breached entity to notify affected consumers, the Indiana Attorney General, and—if more than 1,000 Indiana residents are impacted—the three nationwide consumer reporting agencies (Equifax, Experian, and TransUnion). Notification is not required if the entity determines that the breach has not resulted in and could not result in identity deception, identity theft, or fraud. It also does not apply to information that was encrypted or redacted, provided the encryption key itself was not compromised.

Enforcement is handled through the Indiana Attorney General's office. Violations can result in civil penalties of up to $150,000 per deceptive act, plus the Attorney General's costs for investigating and maintaining the action. Indiana's statute does not explicitly provide a private right of action for individuals.

Whether DeKalb County's 164-day notification timeline raises questions under this statute depends on facts not yet publicly available—specifically, when the county completed its investigation sufficiently to determine the scope of the breach, and whether law enforcement requested any notification delay. Without that information, it is not possible to say definitively whether the timeline was compliant.

A broader policy question worth raising: Indiana's 45-day standard, already generous compared to some other states, may need revisiting in light of how forensic investigations unfold in under-resourced environments. A county with one IT director and no dedicated security staff is not going to complete a forensic investigation in 45 days. Acknowledging that reality in the statute—perhaps with tiered timelines tied to resource capacity—could lead to more honest disclosure processes rather than delayed notices issued only after investigations conclude on their own schedule.

Part of a Larger Wave: Local Governments Under Siege

The DeKalb County breach did not happen in isolation. It was part of a documented surge of cyberattacks targeting local government entities in the fall of 2025.

As reported by SC Media in October 2025, DeKalb County's incident coincided with separate cyberattacks on Kaufman County, Texas (which took down courthouse computers and other systems) and the City of La Vergne, Tennessee (which forced government offices to close and disrupted water bill and property tax payment systems). All three incidents occurred in close succession.

This is consistent with broader trends. According to Microsoft's 2025 Digital Defense Report, which covers the period from July 2024 through June 2025, hospitals and local governments are primary targets for cybercriminals because they store sensitive data, operate with tight cybersecurity budgets, have limited incident response capabilities, and often run outdated software. The report found that over half of all cyberattacks with known motives during that period were driven by extortion or ransomware.

Huntress, a cybersecurity firm specializing in small and mid-sized organizations, reported that over 10% of the cyberattacks it observed in 2024 targeted government agencies, with infostealer threats being a prevalent type, accounting for 21% of government-sector threats.

The Smart Cities Dive analysis from March 2025 noted that city and county governments face a unique combination of cybersecurity challenges: geographically distributed employees who require remote access (often through VPNs that attackers can exploit, consistent with ATT&CK T1133), limited dedicated cybersecurity staff, and legacy systems that may not receive timely patches.

Phillip Harmon, a Cybersecurity & Data Privacy Associate at Woods Rogers, wrote in Smart Cities Dive that while no organization can prevent every incident, addressing known challenges proactively gives local governments a real chance to avoid serious disruption.

For a county like DeKalb—with roughly 43,000 residents, a median household income of about $70,080, and a government structure that includes separately elected officials across multiple departments—maintaining robust cybersecurity posture is a significant challenge. The county's IT department must secure systems across offices for Commissioners, the Auditor, the Assessor, the Clerk, the Sheriff, and more, all with the budget constraints typical of a rural Indiana county.

One question the reporting on this incident largely avoids: who, specifically, are the threat actors attacking entities like DeKalb County? The answer matters for how resources are allocated. The Verizon 2025 Data Breach Investigations Report found that financially motivated actors—organized crime groups, ransomware-as-a-service affiliates—account for the large majority of breaches against public sector entities. These are not nation-state operations with political motives. They are enterprises that have identified local government as a reliable revenue source precisely because the payout-to-effort ratio is favorable. A rural county with limited security controls, data that supports identity fraud, and political pressure to restore services quickly is an ideal ransomware target. Understanding that this is a business model, not a geopolitical operation, changes the calculus for defense.

The MS-ISAC Funding Crisis and What It Means

The DeKalb County breach becomes even more significant when viewed against a specific federal policy change that took effect just five days after the attack was detected.

On September 30, 2025—five days after DeKalb County discovered the intrusion—the Cybersecurity and Infrastructure Security Agency (CISA) allowed its 21-year cooperative agreement with the Center for Internet Security (CIS) to expire. This agreement had funded the Multi-State Information Sharing and Analysis Center (MS-ISAC), which served as the primary cybersecurity resource for over 18,000 state, local, tribal, and territorial government organizations across all 50 states.

The MS-ISAC provided real-time threat intelligence, incident response assistance, cybersecurity tools, and information sharing—services that many small and mid-sized local governments could not afford to procure independently. The federal government had been providing approximately $27 million annually to fund these services through its agreement with CIS. In 2024 alone, the MS-ISAC detected more than 43,000 potential cyberattacks, blocked more than 59,000 malware and ransomware incidents, prevented 25 billion connections to malicious sites, and stopped 5.4 million harmful emails on behalf of its member organizations, according to CIS reporting.

As reported by Cybersecurity Dive, more than 90% of the state and local threat intelligence that CISA distributed came from the MS-ISAC. The funding termination was part of broader cuts driven by the Department of Government Efficiency (DOGE), which had classified some of the MS-ISAC's services as "redundant."

CIS President and CEO John Gilligan pushed back on that characterization. Gilligan stated that the argument the MS-ISAC's services were duplicative was clearly an error unsupported by the facts, pointing to local governments' willingness to pay out-of-pocket for memberships as evidence the services were not being replicated elsewhere. (As reported by Cybersecurity Dive.)

The MS-ISAC has since transitioned to a fee-based membership model. The lowest price tier—for members with budgets under $25 million—increased to $1,495 per year. Larger jurisdictions face increases up to $12,495 annually. Critically, federal State and Local Cybersecurity Grant Program (SLCGP) dollars cannot be used to pay MS-ISAC membership fees, forcing counties to draw from general funds or seek state-level appropriations for a cost that was previously free.

As of early 2026, eleven states have committed to statewide MS-ISAC memberships that extend coverage to local governments within their borders—among them Texas, Kansas, and Mississippi. Whether Indiana is among them is not publicly confirmed. The state operates its own entity, the Indiana Information Sharing and Analysis Center (IN-ISAC), discussed below, but the relationship between Indiana's state-level coverage and individual county access to MS-ISAC services post-funding-cut remains unclear.

Bob Huber, Chief Security Officer at Tenable, warned that the funding cuts would exacerbate a "cyber poverty line," as reported by Route Fifty—the idea that smaller jurisdictions that cannot afford paid memberships or private cybersecurity services will be left more vulnerable to attack than their better-funded counterparts.

On the same date that the CISA-CIS agreement expired, the Cybersecurity Information Sharing Act of 2015 also lapsed after Senator Rand Paul blocked its reauthorization. This law had provided legal protections for organizations sharing cyber threat information with each other and with the federal government. The simultaneous expiration of the information-sharing legal framework and the primary operational vehicle for that sharing is not a coincidence to be glossed over.

For a county like DeKalb, this convergence is significant. The attack occurred in the final days before a major federal cybersecurity safety net was pulled away. Whether DeKalb County was an MS-ISAC member or relied on its services is not publicly known. But the timing illustrates the broader point: local governments are facing escalating cyber threats at the same time the federal resources they depended on are being reduced.

Indiana's Own Safety Net: The IN-ISAC

A question the coverage of this incident has not adequately addressed: what state-level resources were available to DeKalb County, and were they used?

Indiana operates the Indiana Information Sharing and Analysis Center (IN-ISAC), an entity developed by the State of Indiana to mitigate cybersecurity risks among state agencies and partners through threat information sharing and collaborative strategy. It provides real-time network monitoring, vulnerability identification, and threat warnings. The IN-ISAC also leverages academic partnerships—notably with Purdue University and Indiana University—to bring student talent into real threat analysis environments.

The IN-ISAC's mandate includes state agencies as primary constituents, but the scope of its support for county-level government entities is not clearly defined in public documentation. Whether DeKalb County had an active relationship with the IN-ISAC before the breach, whether the IN-ISAC was engaged during the incident response, and whether the state has taken any action in response to the breach are all unanswered questions. The Indiana Attorney General's office is the enforcement authority for breach notification law, but no public statement from the AG regarding DeKalb County has been issued.

Indiana also participates in the State and Local Cybersecurity Grant Program (SLCGP), established under the Infrastructure Investment and Jobs Act of 2021, which made $1 billion available over four years for state, local, tribal, and territorial cybersecurity efforts. That program expired at the close of fiscal year 2025 before receiving a short-term extension. Whether DeKalb County accessed any SLCGP funding, and what it was used for, is not in the public record.

The gap between the existence of these resources and their utilization at the county level is one of the defining structural problems in local government cybersecurity. Programs exist. Counties don't always know about them, don't have staff to administer the grants, or don't have the organizational capacity to translate funding into implemented controls. That gap is as dangerous as any technical vulnerability.

What Should Actually Change: Solutions Beyond the Checklist

Coverage of incidents like this one tends to resolve into the same set of recommendations: implement MFA, patch your systems, train employees on phishing, back up your data. These are not wrong. They are, however, insufficient on their own for an environment like DeKalb County—and they don't address the structural conditions that made this breach possible. Below are solutions that go further.

Mandate county-level security baselines through state law, not voluntary frameworks

Indiana currently has no statutory requirement that county governments meet any minimum cybersecurity standard. The CIS Controls—a prioritized set of security practices developed by the same organization that ran the MS-ISAC—include a tiered implementation model (IG1, IG2, IG3) specifically designed for resource-constrained organizations. Indiana could require all county and municipal governments to self-attest to compliance with CIS Implementation Group 1 as a condition of receiving state IT or grant funding. IG1 covers eighteen controls including asset inventory, data protection, secure configuration, account management, and basic incident response. These are achievable with limited staff. Making them a precondition for state funding changes the incentive structure without requiring the state to fund the security work itself.

Move toward shared services security models at the regional level

DeKalb County cannot sustain a dedicated security operations capability on its own. Neither can most of the 92 counties in Indiana. A regional security operations center (SOC) model—in which multiple counties pool resources to fund shared monitoring, incident response, and threat intelligence—exists in a small number of states and has proven effective. Indiana's SLCGP allocations could have been directed toward standing up a northeast Indiana regional SOC serving DeKalb, Steuben, LaGrange, Noble, and neighboring counties. At the state level, the IN-ISAC could serve as the coordination body. This is not a theoretical concept: Arizona launched a $10 million Statewide Cyber Readiness Program to provide free basic security services to underfunded local and tribal governments after the MS-ISAC funding change. Indiana has not announced an equivalent program.

Require deployment of the Albert sensor network or equivalent IDS as a condition of state IT support

The MS-ISAC's Albert Network Monitoring and Management intrusion detection sensors provided automated alerts on both traditional and advanced network threats. They are designed specifically for the SLTT environment. A county deploying Albert would have had network-level visibility that could have reduced a 35-day dwell time significantly. The MS-ISAC FAQ confirms that organizations that purchased paid membership before September 30, 2025 retain access to the Endpoint Detection & Response service through September 30, 2026 at no additional cost. Counties that have not yet transitioned to paid membership and have not deployed Albert have lost a detection capability they previously had for free.

Address dwell time directly with a detection SLA requirement

The industry conversation around local government cybersecurity focuses almost entirely on prevention. Prevention matters, but the DeKalb County incident demonstrates that even adequate prevention can fail. The question is what happens after initial access. A 35-day dwell time is a detection failure, not an access failure. State cybersecurity programs should establish detection service-level agreements for counties: if you are going to hold sensitive personal data under state law, you are obligated to have a mechanism to detect unauthorized access within a defined timeframe—whether through your own monitoring, a managed detection and response provider, or a shared SOC arrangement. Detection is not optional. It is a legal precondition for being able to meet notification deadlines.

Reform breach notification law to account for resource disparities

Indiana's 45-day notification window is measured from discovery. For a county with no forensic staff, "discovery" and "understanding what was taken" are months apart. The statute could be reformed to create a two-stage requirement: a preliminary notice within 15 days of detection confirming that an incident occurred and that an investigation is underway, followed by a detailed notice once the scope is determined. This is similar to the approach taken in healthcare under HIPAA's Breach Notification Rule, which requires preliminary notice within 60 days but allows supplemental notifications as information develops. Residents would benefit from knowing an incident happened even before the full scope is confirmed, because they can take precautionary action—credit monitoring, fraud alerts—immediately rather than waiting for a complete investigation.

Require post-incident public disclosure of security improvements

DeKalb County's notice is silent on what specific changes have been made since the breach. This is standard practice, but it creates no accountability. State law could require breached government entities to file a post-incident remediation report with the Indiana Attorney General within 90 days of public notification, describing what specific security controls were absent, what has been implemented, and what the estimated timeline is for additional improvements. This report does not need to be published in a way that creates additional attack surface—it can be filed confidentially with the AG and summarized for public accountability purposes. The current system creates no structural pressure to improve.

Treat the dark web monitoring gap as a distinct problem

A question no public statement has addressed: has the data exposed in this breach appeared on dark web leak sites or criminal forums? If it has, the county's incident response team would likely know. If it hasn't, that is meaningful information for affected residents. The absence of this disclosure is not a legal failure—Indiana law does not require it. But it is an informational failure. Dedicated dark web monitoring for a county government's data is not expensive in the context of a full incident response engagement. Making the results of that monitoring available to residents—even in summary form—is a transparency step that would meaningfully affect how seriously affected individuals treat the threat to their information.

What Affected Residents Should Do Now

DeKalb County is offering credit monitoring and identity protection services to individuals who may have been affected. Residents with questions can call 1-844-953-2377 between 8 a.m. and 8 p.m. Eastern Time. Additional information is available through the official notice posted on the county's website.

Beyond the county's offered services, affected individuals should consider the following steps:

1. Place a credit freeze with all three bureaus. Contact Equifax (1-800-685-1111), Experian (1-888-397-3742), and TransUnion (1-888-909-8872) to freeze your credit files. A credit freeze prevents new accounts from being opened in your name and is free to place and lift. This is the single most effective step against identity theft using stolen personal information.
2. Place a fraud alert. If you prefer not to freeze your credit, you can place a free one-year fraud alert by contacting any one of the three bureaus, which is required to notify the other two. This requires creditors to take extra steps to verify your identity before issuing credit.
3. Request your free credit reports. Visit AnnualCreditReport.com to pull your reports from all three bureaus and review them for any accounts or inquiries you do not recognize.
4. Monitor financial accounts closely. Review bank and credit card statements for unauthorized transactions. Set up transaction alerts if your financial institution offers them.
5. File your taxes early. If your Social Security number was exposed, filing your federal and state tax returns as early as possible reduces the window for fraudulent filings in your name.
6. Be alert for targeted phishing. Attackers who have your personal information may use it to craft convincing phishing emails or phone calls that reference real details about you. Be skeptical of any unsolicited communication that asks you to verify personal information, click a link, or provide payment. This is consistent with ATT&CK technique T1598 (Phishing for Information), which threat actors use in follow-on operations after data acquisition.
7. Consider an IRS Identity Protection PIN. The IRS offers a free Identity Protection PIN (IP PIN) that adds an extra layer of security when filing your tax return. You can request one at irs.gov.
8. Consider a Social Security self-lock. The Social Security Administration's mySocialSecurity portal allows individuals to lock their Social Security number from being used to apply for benefits in their name. This is a step the county's notice does not mention, but it is one of the more powerful protective actions available when an SSN has been exposed.

Key Takeaways

1. 35 days of undetected access is a detection failure, not just a dwell time statistic. The attacker was inside the county's network from August 21 to September 25, 2025. Every day of that window represents time during which data was accessible, lateral movement was possible, and the attacker was mapping the environment. Framing this as merely a long dwell time understates the problem. It reflects the complete absence of detection controls capable of identifying anomalous behavior in the persistence, lateral movement, and collection phases (ATT&CK TA0003, TA0008, TA0009).
2. The 164-day notification gap left residents without agency. Regardless of the legal justification, nearly six months between detection and disclosure is a long time for individuals whose Social Security numbers and financial information may be in criminal hands. During that period, residents could not take protective action because they did not know they needed to. A preliminary notice requirement would address this.
3. Local governments are increasingly vulnerable at a time when federal support is being reduced. The expiration of the CISA-CIS agreement, the lapse of the Cybersecurity Information Sharing Act, and the transition of the MS-ISAC to a fee-based model all compound the challenge for small counties and municipalities that lack the budget for dedicated cybersecurity staff or enterprise-grade security tools. As of early 2026, eleven states have purchased statewide MS-ISAC memberships to cover their localities. Indiana's status in this regard has not been publicly confirmed.
4. Indiana has state-level resources that should be more visible. The IN-ISAC exists and provides real-time monitoring and threat intelligence. Whether DeKalb County had access to those services, used them during this incident, or benefits from them going forward is unanswered. The state's role in post-breach oversight also remains unclear, with no public statement from the Indiana Attorney General's office on this specific incident.
5. Solutions require structural change, not just better hygiene. The standard recommendations—MFA, patching, backups—are necessary but not sufficient. Regional SOC models, mandatory baseline standards, pre-deployment of IDS sensors, two-stage notification reform, and post-incident remediation accountability are achievable policy changes that would materially improve the security posture of rural county governments in Indiana and across the country.
6. Transparency matters, and it is still lacking. DeKalb County has made credit monitoring available and published a notice on its website, but significant questions remain unanswered: how many individuals were affected, whether the data has appeared on leak sites, what type of attack was used, and what specific security improvements have been implemented since the incident. Greater transparency from breached entities helps the broader community learn from these incidents and allocate resources accordingly.

The DeKalb County breach is not the largest or most dramatic cyberattack of 2025. It did not shut down a pipeline, disrupt a hospital, or make national headlines for weeks. But in many ways it is more representative of the cybersecurity reality facing the majority of Americans—the quiet, methodical compromise of a county government network in a rural community, the months-long wait for notification, and the realization that the safety nets designed to help are being pulled away. For the roughly 43,000 residents of DeKalb County, the question is no longer whether their government's systems were secure. It is whether the response was fast enough, whether the defenses will be stronger next time, and whether the structural conditions that made this possible are being addressed at any level of government.

Sources

• WTHR — DeKalb County officials: Data breach may have included personal information (March 7, 2026)
• 21Alive News — DeKalb County Board of County Commissioners: Data breach may have included personal information (March 7, 2026)
• WOWO News — DeKalb County Targeted in Government Cyberattack (September 30, 2025)
• WOWO News — DeKalb County Data Breach (March 8, 2026)
• SC Media — Separate cyberattacks hit Texas, Tennessee, Indiana (October 2025)
• The Record — Cyber incidents in Texas, Tennessee and Indiana impacting critical government services (October 2025)
• Cybersecurity Dive — Federal cuts force many state and local governments out of cyber collaboration group (October 2025)
• The Register — CISA kills agreement with nonprofit that runs MS-ISAC (September 30, 2025)
• Route Fifty — Federal funding runs out for cyber info-sharing center (October 2025)
• Smart Cities Dive — Cybersecurity challenges faced by local governments in 2025 (March 2025)
• Indiana Attorney General — Security Breach FAQ's & Notification Form
• Microsoft — Digital Defense Report 2025 (October 2025)
• DeKalb County, Indiana — Official Notice of Data Incident
• MITRE ATT&CK — Enterprise Matrix
• Center for Internet Security — MS-ISAC Membership FAQ (2025)
• Center for Internet Security — MS-ISAC: Defending America's Critical Infrastructure
• StateTech Magazine — States Step Up as MS-ISAC Moves to Paid Model (February 2026)
• Government Technology — Eleven States Have Signed Up for MS-ISAC's New Paid Membership (January 2026)
• State of Indiana — Indiana Information Sharing and Analysis Center (IN-ISAC)
• Help Net Security — CISA says it will fill the gap as federal funding for MS-ISAC dries up (September 2025)