Aquarium of the Pacific, Southern California’s largest aquarium with 1.5 million annual visitors, suffered a data breach after detecting unauthorized access to an internal email account between April 19, 2025, and June 3, 2025. The breach exposed personally identifiable information (PII) of current/former employees and possibly visitors, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance details, and financial/payment information. The aquarium began notifying affected individuals via mail on September 25, 2025, and reported the incident to the Vermont Attorney General’s office on September 29, 2025. As a remedial measure, it offered 12 months of free credit monitoring and identity protection services through Epiq - Privacy Solutions. The breach poses risks of identity theft, phishing attacks, and financial fraud for victims, though the exact number of impacted individuals remains undisclosed.
Source: https://www.claimdepot.com/data-breach/aquarium-of-the-pacific-2025
TPRM report: https://www.rankiteo.com/company/aquariumpacific
"id": "aqu2093020092925",
"linkid": "aquariumpacific",
"type": "Breach",
"date": "4/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Current and former employees, '
'and possibly visitors (exact '
'number not released)',
'industry': 'Entertainment / Education (Aquarium)',
'location': 'Long Beach, California, USA',
'name': 'Aquarium of the Pacific',
'size': '1.5 million annual visitors; employee count '
'not specified',
'type': 'Non-profit Organization'}],
'attack_vector': 'Unauthorized Access (Email Account Compromise)',
'customer_advisories': ['Monitor for phishing attempts using exposed PII.',
'Enroll in provided credit monitoring services.',
'Consider proactive measures like credit freezes.'],
'data_breach': {'data_exfiltration': 'Likely (unauthorized access to email '
'account suggests potential '
'exfiltration)',
'number_of_records_exposed': 'Not disclosed (believed to '
'include current/former '
'employees and possibly '
'visitors)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSNs, financial data, '
'and health insurance info)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Names',
'Addresses',
'Dates of Birth',
'Social Security Numbers',
"Driver's License Numbers",
'Health Insurance Information',
'Financial Account or Payment '
'Information']},
'date_detected': '2025-06-03',
'date_publicly_disclosed': '2025-09-25',
'description': 'Aquarium of the Pacific, Southern California’s largest '
'aquarium with 1.5 million visitors annually, experienced a '
'data breach. On June 3, 2025, the organization detected '
'suspicious activity within an internal email account. An '
'investigation determined that an unauthorized party gained '
'access to the email account between April 19, 2025, and June '
'3, 2025. The breach compromised personally identifiable '
'information (PII) of current and former employees and '
'possibly visitors, including names, addresses, dates of '
"birth, Social Security numbers, driver's license numbers, "
'health insurance information, and financial account or '
'payment information.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive PII',
'data_compromised': ['Personally Identifiable Information (PII)',
'Names',
'Addresses',
'Dates of Birth',
'Social Security Numbers',
"Driver's License Numbers",
'Health Insurance Information',
'Financial Account or Payment Information'],
'identity_theft_risk': 'High (due to exposure of SSNs, financial '
'data, and other sensitive PII)',
'legal_liabilities': 'State and federal disclosure requirements; '
'potential legal risks from exposed PII',
'payment_information_risk': 'High (financial account or payment '
'information exposed)',
'systems_affected': ['Internal Email Account']},
'initial_access_broker': {'entry_point': 'Internal email account'},
'investigation_status': 'Completed (unauthorized access period identified: '
'April 19, 2025 – June 3, 2025)',
'post_incident_analysis': {'corrective_actions': ['Offering identity '
'protection services to '
'affected individuals',
'Compliance with regulatory '
'disclosure requirements']},
'recommendations': ['Sign up for the free IDX identity theft protection '
'services (offered by Epiq - Privacy Solutions).',
'Monitor credit reports and financial accounts for '
'unusual activity.',
'Be alert for phishing emails or calls exploiting exposed '
'information.',
'Consider placing a fraud alert or credit freeze with '
'major credit bureaus.'],
'references': [{'source': 'Aquarium of the Pacific Breach Notice (via Claim '
'Depot)'},
{'date_accessed': '2025-09-29',
'source': "Vermont Attorney General's Office Disclosure"}],
'regulatory_compliance': {'regulatory_notifications': ['Vermont Attorney '
"General's office "
'(notified Sept. 29, '
'2025)',
'State and federal '
'disclosure '
'requirements '
'(complied with)']},
'response': {'communication_strategy': ['Direct mail notifications to '
'impacted individuals',
'Public disclosure via regulatory '
'filings (e.g., Vermont AG)',
'Advisories for affected individuals '
'to sign up for identity protection, '
'monitor credit reports, and consider '
'fraud alerts/credit freezes'],
'incident_response_plan_activated': True,
'remediation_measures': ['Notification of impacted individuals '
'via mail (starting Sept. 25, 2025)',
'Disclosure to Vermont Attorney '
"General's office (Sept. 29, 2025)",
'Offer of 12 months of free Epiq - '
'Privacy Solutions ID credit monitoring '
'and identity protection services']},
'stakeholder_advisories': 'Impacted individuals notified via mail with '
'guidance on identity protection measures.',
'title': 'Data Breach at Aquarium of the Pacific',
'type': 'Data Breach'}