A data breach affecting Pennsylvania’s largest workers and teachers’ union, the Pennsylvania State Education Association (PSEA), has exposed the personal information of over half a million individuals.
PSEA is a labor union that represents over 517,487 individuals, including public school teachers, higher education faculty members, school support staff, and retired educators across the Keystone State.
“PSEA experienced a security incident on or about July 6, 2024, that impacted our network environment,” the labor union stated.
The Harrisburg-based organization launched an investigation that concluded on February 18, 2025, that the cyber incident enabled a threat actor to access certain files containing personal information.
Pennsylvania’s largest workers and teachers’ union confirms data breach
Although the information exposed varied by individual, it included the personal, financial, and health data of 517,487 people.
Specific details leaked include the victims’ dates of births, driver’s license numbers or other state IDs, social security numbers, account numbers and PINs, security codes, passport numbers, taxpayer ID numbers, and account usernames and passwords.
The data breach also leaked account routing numbers, payment card numbers, PINs, and expiration dates, and health insurance and medical information.
Meanwhile, PSEA has notified relevant authorities, including the Office of the Maine Attorney General, and sent data breach notices to affected individuals. The workers and teachers’ union also offered 12 months of credit and CyberScan monitoring from IDX to protect data breach victims from potential cyber attacks.
The workers and teachers’ union also advised impacted members to monitor their financial statements and credit reports for suspicious activity and promptly notify authorities of any fraud. They should also consider placing credit freezes to prevent fraudsters from opening new credit lines without their authorization.
Rhysida ransomware claims PSEA workers and teachers’ union data breach
While the workers and teachers’ union has not disclosed the threat actor’s identity, the Rhysida ransomware took credit for the PSEA data breach in September 2024 and listed the labor union on its data leak site.
The ransomware gang also demanded 20 bitcoin, which was equal to $1.1 million at the time, in ransom payment to avoid publishing the stolen information online and shared screenshots of the pilfered documents. However, the listing was later pulled down, suggesting that the workers and teachers’ union had paid the ransom.
“Organizations pay ransoms for many reasons, such as fear of repercussions, reputational and financial damages, loss of productivity, as well as from harassment during ransom negotiations,” said Andrew Costis, Engineering Manager of the Adversary Research Team at AttackIQ. “However, situations like this are a reminder that making a ransomware payment does not guarantee a positive outcome. Doing so may further enable cybercriminals to profit and advance their operations and campaigns, and may further incentivize future attacks.”
Rhysida ransomware, which first surfaced in May 2023, has claimed numerous high-profile breaches, including the August 2023 Singing River Health System data breach affecting 900,000 people and the July 2024 City of Columbus, Ohio, cyberattack affecting 500,000 individuals.
Others include the November 2023 Insomniac Games data breach that leaked 1.67 terabytes of data after the company refused to pay a $2 million ransom and the May 2023 Chilean Army and British Library breaches.
“Rhysida is thought to have ties to the ransomware group Vice Society and first surfaced in May 2023,” noted Paul Bischoff, Consumer Privacy Advocate at Comparitech. “Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected systems.
“Rhysida has claimed 82 confirmed ransomware attacks since it began, compromising more than 5.3 million records. Its average ransom demand is $1.08 million,” noted Bischoff.
In November 2023, the FBI, CISA, and MS-ISAC issued a joint cybersecurity advisory about the Rhysida ransomware gang indiscriminately targeting “education, healthcare, manufacturing, information technology, and government sectors.”
In August 2023, the US Department of Health and Human Services (HHS) also attributed the Rhysida ransomware gang, which was in its early stages of development, to various attacks on the Healthcare and Public Health (HPH) sector.
