Article Details

Attackers swipe data of 500k+ people from Pennsylvania teachers union. SSNs, payment details, and health info too. The Pennsylvania State Education Association (PSEA) says a July 2024 "security incident" exposed sensitive personal data on more than half a million individuals, including financial and health info. The nonprofit, which represents more than 178,000 education professionals in the US state of Pennsylvania, confirmed data was stolen during a July 6 attack. According to The Office of the Maine Attorney General, the breach affected a total of 517,487 people. PSEA wrapped up its investigation on February 18, though it hasn't said exactly when the breach was detected. Post-attack probes often stretch over several months. The org's disclosure notice stated: "...we determined that the data acquired by the unauthorized actor contained some personal information belonging to individuals whose information was contained within certain files within our network. "We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted. We want to make the impacted individuals aware of the incident and provide them with steps they can take to further protect their information." Although PSEA's disclosure didn't explicitly mention ransomware or extortion, it did say that steps were taken to ensure the stolen data was deleted — a claim that typically implies some level of communication with the attackers, often seen in double extortion cases. Adding weight to that suspicion, the Rhysida ransomware gang publicly claimed responsibility for the attack in September 2024, suggesting ransomware was involved. The Register asked PSEA and its lawyer for more information about this and whether it paid a ransom at any point, but neither immediately responded.  PSEA emphasized that not every individual had the same data elements compromised. The exposed information may include an individual's full name in combination with one or more other type of personal data. The possible data types stolen include the usual personally identifiable information (PII) such as full names and dates of birth, and identity documents such as driver's licenses, state IDs, and social security numbers (SSNs). In addition to basic PII, the nonprofit also said account numbers, account PINs, security codes, passwords, routing numbers, payment card numbers, card PINs, and expiration dates might have been taken.  The list doesn't stop there: Passport numbers, taxpayer ID numbers, usernames and passwords, health insurance information, and finally medical information are potentially in the hands of cybercriminals. "We have no evidence that any of the information has been used for identity theft or to commit financial fraud," PSEA said. "Nevertheless, out of an abundance of caution, we want to make the impacted individuals aware of the incident." It went on to say: "Please accept our apologies that this incident occurred. We are committed to maintaining the privacy of protected personal information in our possession and have taken precautions to safeguard it." PSEA is offering credit monitoring and identity restoration services, free of charge, but only to individuals whose Social Security numbers were compromised.