The Pennsylvania State Education Association (PSEA), the state’s largest union for educators, has confirmed a massive data breach affecting more than 517,000 individuals. The cyberattack, which occurred in July 2024, exposed highly sensitive personal information belonging to current and former teachers, counselors, healthcare workers, and school social workers.
Extensive Data Exposure
According to official filings with the Maine Attorney General, unauthorized actors infiltrated the union’s network and exfiltrated a significant trove of private records. The compromised data includes:
- Social Security numbers and government-issued identification.
- Passport numbers.
- Medical records and financial information.
- Credit card numbers, including associated PINs and expiration dates.
- Member account credentials, passwords, and security codes.
Ransom Payment and Data Security Concerns
In correspondence sent to affected members, the PSEA acknowledged that while not every individual had all data elements compromised, the breadth of the breach is severe. The union stated it took steps to ensure the stolen data was deleted by the attackers, strongly suggesting that the organization engaged in a ransom payment to resolve the extortion attempt.
Security experts remain skeptical regarding the efficacy of such payments. History has shown that paying a ransom provides no guarantee that malicious actors will honor their agreement to purge stolen files. A notable example occurred last year during the international takedown of the LockBit ransomware gang, where investigators discovered that hackers had retained sensitive victim data long after ransom demands were met.
Ongoing Response
The PSEA has faced scrutiny over the incident, yet the organization has remained silent regarding specific details of the recovery process. The union did not respond to multiple requests for comment regarding the security protocols currently in place or the timeline of the initial detection.