AIPAC, a prominent U.S.-based political organization focused on U.S.-Israel relations, suffered a data breach via an external third-party system compromise. Unauthorized access to its files occurred from October 20, 2024, to February 6, 2025 (4 months), but was only detected on August 28, 2025. The breach exposed personally identifiable information (PII) of 810 individuals, including names and other identifiers (potentially Social Security Numbers, Taxpayer IDs, driver’s licenses, passports, addresses, contact details, email addresses, payment card data, and banking information). While no evidence of misuse or data leaks on hacker forums has been reported, the breach involved criminal cyberattack methods. AIPAC responded by notifying affected individuals (starting November 13, 2025), offering 12 months of identity protection services (IDX), and implementing enhanced security measures (posture controls, DLP, access restrictions, monitoring, etc.). No group claimed responsibility, and the motive remains unclear.
Source: https://hackread.com/aipac-data-breach-hundreds-affected/
TPRM report: https://www.rankiteo.com/company/aipac
"id": "aip2562125111725",
"linkid": "aipac",
"type": "Breach",
"date": "10/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '810 individuals (including 1 '
'Maine resident)',
'industry': 'Public Policy / Advocacy',
'location': 'United States',
'name': 'American Israel Public Affairs Committee '
'(AIPAC)',
'type': 'Non-profit Political Organization'}],
'attack_vector': 'Third-Party System Compromise',
'customer_advisories': ['Email notifications sent to affected individuals '
'(November 13, 2025) with offer of 12-month identity '
'protection services'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 810,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes potential SSN, '
'financial data, government-issued '
'IDs)',
'type_of_data_compromised': ['PII (Personally Identifiable '
'Information)']},
'date_detected': '2025-08-28',
'date_publicly_disclosed': '2025-11-14',
'description': 'AIPAC (American Israel Public Affairs Committee) announced a '
'data breach linked to an external system breach involving an '
'unknown third-party company. Unauthorized access to files '
'stored on AIPAC systems occurred from October 20, 2024, to '
'February 6, 2025, with the breach identified on August 28, '
'2025. Personal identifiers (PII) of 810 individuals, '
'including names and potentially Social Security Numbers, '
'Taxpayer ID Numbers, driver license numbers, state ID '
'numbers, passport numbers, home addresses, contact details, '
'email addresses, payment card data, and banking information, '
'were compromised. No signs of data misuse or claims of '
'responsibility have been reported. AIPAC is offering 12 '
'months of identity protection services (IDX) to affected '
'individuals and has implemented enhanced security controls '
'post-incident.',
'impact': {'brand_reputation_impact': 'Potential reputational risk due to '
'breach of sensitive PII',
'data_compromised': ['Names',
'Personal Identifiers (PII, potentially '
'including Social Security Numbers, Taxpayer '
'ID Numbers, driver license numbers, state ID '
'numbers, passport numbers, home addresses, '
'contact details, email addresses, payment '
'card data, banking information)'],
'identity_theft_risk': 'High (PII exposed; 12-month identity '
'protection offered)',
'payment_information_risk': 'Potential (payment card data and '
'banking information may have been '
'exposed)',
'systems_affected': ['AIPAC information systems (files stored)']},
'initial_access_broker': {'entry_point': 'Unknown third-party company system '
'breach'},
'investigation_status': 'Completed (no ongoing signs of misuse reported)',
'post_incident_analysis': {'corrective_actions': ['Implemented posture '
'controls, non-human '
'identity controls, email '
'DLP, Microsoft 365 access '
'controls, privilege '
'alerts, geolocation '
'restrictions, audit '
'functions, and increased '
'monitoring'],
'root_causes': ['Third-party system compromise '
'leading to unauthorized access to '
'AIPAC files']},
'ransomware': {'data_exfiltration': True},
'references': [{'date_accessed': '2025-11-14',
'source': 'Maine Attorney General Office Filing'}],
'regulatory_compliance': {'regulatory_notifications': ['Maine attorney '
'general (filed '
'November 14, 2025)']},
'response': {'communication_strategy': ['Notification to Maine attorney '
'general (November 14, 2025)',
'Email notifications to affected '
'individuals (November 13, 2025)'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'recovery_measures': ['Notification to affected individuals '
'(email, starting November 13, 2025)',
'12-month identity protection services '
'(credit monitoring, CyberScan, insurance '
'reimbursement, identity recovery '
'support)'],
'remediation_measures': ['Added new security controls (posture '
'controls, non-human identity controls, '
'email data loss prevention, Microsoft '
'365 access controls, privilege alerts, '
'geolocation restrictions, audit '
'functions, increased monitoring)'],
'third_party_assistance': ['IDX (identity protection services)']},
'threat_actor': 'Unknown (No group claimed responsibility)',
'title': 'AIPAC Data Breach via Third-Party System Compromise',
'type': ['Data Breach', 'Unauthorized Access']}