Pennsylvania Teachers Union Members Sue After Cyberattack Exposes Personal Data

Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter

Members of the Pennsylvania State Education Association have filed multiple class-action lawsuits against the union after a cyberattack compromised the personal information of more than a half-million people.

Three union members filed suit in March, just days after the union announced a data breach had occurred on July 6, 2024.

A union investigation into the incident, completed Feb. 18, found that an “unauthorized actor” gained access to records like Social Security numbers, bank account numbers, birthdates and taxpayer identification information.

The Rhysida ransomware gang claimed on its dark web site in September that it had carried out the cyberattack.

The union refused to comment on how widespread the attack was, but a data breach tracker maintained by the Maine attorney general’s office said 517,487 people were affected.

The suits allege the union failed “to properly secure and safeguard private information that was entrusted to them” and that those affected — including the relatives of members — will suffer financial losses and lost time detecting and preventing identity theft. 

Educators must provide personal information to the union to receive its benefits, according to the lawsuits. 

The plaintiffs also allege that the union waited too long to announce the data breach. Notification letters were sent out on March 17, a month after the union’s investigation was finished.

“We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted,” the union said in the notification letter.

The attack occurred on computer systems that needed security upgrades, the lawsuits allege. Two of the plaintiffs have reportedly experienced increased numbers of spam calls and emails.

“[The union] failed to properly monitor the computer network and systems that housed the private information,” one lawsuit says. “Had [the union] properly monitored its computer network and systems, it would have discovered the massive intrusion sooner rather than allowing cybercriminals almost a month of unimpeded access.”

The union, which represents 178,000 members, said in a previous statement that it isn’t aware of identity theft connected to the breach. It did not respond to a request for comment from The 74 about the lawsuits.

The plaintiffs are seeking compensatory damages and want the court to order the union to pay for at least 10 years of credit monitoring services for those affected. Motions were filed in a Pennsylvania district court Tuesday to consolidate the lawsuits into one class-action case.

Get stories like these delivered straight to your inbox. Sign up for The 74 Newsletter