A significant data breach has occurred at the Pennsylvania State Education Association (PSEA), a prominent labor union for educators in the state, resulting in the theft of sensitive personal information belonging to over 517,000 members.

As the largest organization representing educators in Pennsylvania, PSEA encompasses current and former teachers, counselors, healthcare workers, and school social workers, making the breach particularly noteworthy.

According to a recent filing with the Maine Attorney General’s office on Tuesday, PSEA experienced a cyberattack in July 2024, during which an unauthorized entity gained access to its network and stole a vast amount of data.

The stolen data includes highly sensitive information such as government-issued identification documents, Social Security numbers, passport numbers, medical information, and financial details, including card numbers, PINs, and expiration dates.

Additionally, PSEA reported that member account numbers, PINs, passwords, and security codes were compromised during the breach, as disclosed in a letter sent to affected individuals.

PSEA emphasized that “not all data elements were acquired for every impacted individual,” suggesting that the extent of the breach may vary from person to person.

The organization claimed to have taken steps to ensure the deletion of the stolen data, implying that it may have been the target of a ransomware or data extortion attack, and subsequently paid a ransom demand to the hackers.

However, paying a ransom does not guarantee the deletion of stolen data, as evident from last year’s takedown of the LockBit ransomware gang, which revealed that the gang retained vast amounts of data from victims who had paid ransom demands.

PSEA has not responded to TechCrunch’s inquiries regarding the breach.