Full Report
More than 500,000 people were impacted by a cyberattack on the Pennsylvania State Education Association (PSEA) that took place in July 2024.
Analysis Summary
# Incident Report: PSEA Network Intrusion and Data Exfiltration by Rhysida
## Executive Summary
The Pennsylvania State Education Association (PSEA) suffered a cyberattack around July 6, 2024, resulting in the exposure of sensitive personal information belonging to over half a million individuals, including members, former members, and their dependents. The attack was later claimed by the Rhysida ransomware gang in September. PSEA completed its investigation in February 2025, identifying the exfiltration of various PII and financial details, prompting notifications to regulatory bodies and impacted members.
## Incident Details
- Discovery Date: Information suggests investigation completion on February 18, 2025, detailing the breach that occurred earlier.
- Incident Date: On or about July 6, 2024
- Affected Organization: Pennsylvania State Education Association (PSEA)
- Sector: Education / Professional Association
- Geography: Pennsylvania, USA (with members notified across several states)
## Timeline of Events
### Initial Access
- Date/Time: On or about July 6, 2024
- Vector: Undisclosed initial vector, leading to network compromise.
- Details: Attackers gained unauthorized access into the PSEA network environment.
### Lateral Movement
- Details: Attackers accessed "certain files within our network," suggesting internal reconnaissance and movement to reach valuable data stores.
### Data Exfiltration/Impact
- Date/Time: Sometime between July 6, 2024, and the containment phase.
- Details: Attackers stole a large volume of sensitive personal information, including State IDs, SSNs, financial account numbers, payment card information, passport numbers, taxpayer IDs, health insurance information, and medical data.
### Detection & Response
- Date/Time: Incident occurred July 6, 2024; Investigation completed February 18, 2025.
- Details: PSEA discovered the security incident, notified law enforcement, and engaged cybersecurity experts. Breach notifications were issued to members and mailed to regulatory bodies in Maine, Massachusetts, and New Hampshire, among others, starting March 2025. Rhysida claimed the attack in September 2024.
## Attack Methodology
- Initial Access: Not explicitly detailed, but part of a Rhysida operation.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed, but likely involved credential harvesting to access sensitive files.
- Discovery: Attackers mapped the network to locate sensitive personal and financial information.
- Lateral Movement: Confirmed access to various files containing member data.
- Collection: Aggregation of PII, financial data, and health records.
- Exfiltration: Stolen data was exfiltrated before containment.
- Impact: Mass exposure of PII and financial data for members and dependents.
## Impact Assessment
- Financial: Costs associated with investigation, remediation, and potential regulatory fines/litigation are implied.
- Data Breach: 517,487 individuals impacted. Data included State IDs, SSNs, financial account numbers, payment card info, passport numbers, taxpayer IDs, health insurance, and medical data.
- Operational: Disruption following the breach, necessitating a thorough investigation and notification process.
- Reputational: Negative impact due to the scope of the breach affecting union representation interests across Pennsylvania schools.
## Indicators of Compromise
- Network Indicators: Unknown (Specific IOCs not public in summary).
- File Indicators: Unknown (Specific IOCs not public in summary).
- Behavioral Indicators: Unauthorized access and large-scale file transfers suggestive of data staging/exfiltration.
## Response Actions
- Containment: Implied containment occurred between July 2024 and the February 2025 investigation conclusion.
- Eradication: Not explicitly detailed, but remediation efforts were undertaken.
- Recovery: PSEA stated they "took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted." Legal and expert consultation was ongoing.
## Lessons Learned
- Sensitive data segregation and protection protocols within the network environment require rigorous review, especially for third-party access or storage used by a large membership organization.
- The timeline between compromise (July 2024) and full determination/notification (March 2025) highlights the significant complexity and length required for analyzing large-scale data breaches.
## Recommendations
- Immediately review and enhance multi-factor authentication (MFA) across all VPNs, systems, and remote access points.
- Implement network segmentation to restrict lateral movement capabilities, isolating sensitive databases (containing SSNs, financial data) from general network traffic.
- Establish continuous monitoring and anomaly detection for large-volume data transfers to shorten the time between intrusion and discovery.
- Conduct proactive threat hunting to identify and remove potential backdoors left by ransomware groups like Rhysida.