Another Day, Another Union Data Breach

Less than a month after the Pennsylvania State Education Association (PSEA) revealed it was the victim of a ransomware attack, yet another union has fallen victim to a cyberattack. On March 27, United Domestic Workers of America (UDWA), American Federation of State, County and Municipal Employees Local 3930, revealed an “unauthorized third party” gained access to the union’s network.

The union, which represents more than 170,000 caregivers and childcare providers in California, discovered that hackers accessed and possibly acquired up to 200,000 individuals’ personal information. The breach, which occurred in January 2025, may have impacted individuals’ social security numbers, names, and personal addresses. UDWA, similar to PSEA, didn’t immediately publicly disclose the breach, leaving its members in the dark for several months.

The incident at UDWA is the latest in a series of troubling cyberattacks against labor unions. In addition to the breaches at PSEA and UDWA, unions in California, New York, and Massachusetts have suffered similar data breaches.

Each state requires employers to provide unions with members’ personal information or allows unions to gain access to this information during the collective bargaining process. Access to sensitive information, combined with poor data-stewardship practices, makes unions a prime target for hackers.

Public employees shouldn’t constantly fear becoming victims of identity theft and fraud—especially because of union incompetence.

To protect employees, lawmakers must act to prevent employers from disclosing employees’ personal information during the collective bargaining process. In the meantime, members must hold their unions responsible, ensuring their leadership is actively protecting their identities and mitigating the risk of further data breaches.