Hackers Ransom 500,000 Union Members’ Personal Information

NBC 10 Philadelphia recently reported that Pennsylvania’s largest teacher union was the victim of a dark-web cyberattack. The attack targeted the Pennsylvania State Education Association (PSEA) and impacted more than 500,000 individuals, including public school teachers and support staff. During the breach, hackers accessed individuals’:

• Date of birth.
• Social Security numbers.
• Driver’s license numbers.
• Passport numbers.
• Bank account information, including account and routing numbers and passwords.
• Credit and debit card information, including card numbers, PINs, and card expiration dates.
• Health insurance and medical information.

Why does the PSEA have access to all this information, especially since most have nothing to do with work or union representation? Simply put, unions often obtain personal information to contact employees about political causes and union organizing outside the workplace. They also send unpaid dues to collections.

Sometimes, public sector employers, such as school districts, disclose employees’ private information to unions without seeking workers’ permission. Other times, unions negotiate for access to the information during the collective bargaining process. Often, employees have no idea their union has access to this information.

SecurityWeek, a cybersecurity news site, reported that the hackers threatened to auction this personal information on the dark web unless PSEA paid a ransom. At this time, it is unclear whether the union paid the ransom.

It is clear, however, that PSEA is not a responsible steward of sensitive personal information.

Sadly, PSEA isn’t alone. Massive union data breaches have also occurred in California, New York, and Massachusetts.

Union members deserve better. At the very least, they deserve unions that can handle the responsibility of protecting their personal information.