On Sept. 8, 2025, Thomas Safran & Associates, a real estate development and management company based in Los Angeles, experienced a significant data breach involving unauthorized access to a confidential computer server. The cybersecurity event
The breach was first identified when suspicious activity was detected on the company’s network. Immediate steps were taken to secure the environment, and outside computer forensic experts were engaged to assist with the investigation.
Further analysis revealed that the breach was caused by a ransomware attack carried out by the PLAY ransomware group, who claimed responsibility on the dark web on Sept. 17, 2025. The group threatened to publish the stolen data within days, stating that they had obtained private and personal confidential data, client documents, budget, payroll, accounting, tax records, IDs and financial information.
The investigation determined that the compromised documents included personally identifiable information (PII) such as names, dates of birth, addresses and Social Security numbers. The breach affected an undisclosed number of individuals, including residents and possibly employees, given the nature of the information stored on the targeted server.
The incident was officially disclosed to the California Attorney General’s office on Nov. 24, 2025.
Thomas Safran and Associates’ response
In response to the breach, Thomas Safran & Associates took several immediate and ongoing actions to protect affected indivi
Source: https://www.claimdepot.com/data-breach/thomas-safran-associates-2025
Thomas Safran & Associates cybersecurity rating report: https://www.rankiteo.com/company/thomas-safran-&-associates
"id": "THO1764780984",
"linkid": "thomas-safran-&-associates",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'incident': {'affected_entities': [{'customers_affected': 'Undisclosed number '
'of individuals '
'(residents and '
'possibly '
'employees)',
'industry': 'Real Estate Development and '
'Management',
'location': 'Los Angeles, California',
'name': 'Thomas Safran & Associates',
'size': None,
'type': 'Company'}],
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Threatened to publish '
'stolen data',
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': 'Names, '
'dates of '
'birth, '
'addresses, '
'Social '
'Security '
'numbers',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally '
'identifiable '
'information (PII), '
'financial '
'information, client '
'documents, payroll, '
'accounting, tax '
'records'},
'date_detected': '2025-09-08',
'date_publicly_disclosed': '2025-11-24',
'description': 'Thomas Safran & Associates, a real estate '
'development and management company, experienced '
'a significant data breach involving unauthorized '
'access to a confidential computer server. The '
'breach was caused by a ransomware attack carried '
'out by the PLAY ransomware group, who claimed '
'responsibility on the dark web and threatened to '
'publish stolen data, including private and '
'personal confidential data, client documents, '
'budget, payroll, accounting, tax records, IDs, '
'and financial information.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Private and personal '
'confidential data, client '
'documents, budget, payroll, '
'accounting, tax records, IDs, '
'financial information, '
'personally identifiable '
'information (PII)',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'Confidential computer server'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'motivation': 'Extortion, Data Theft',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': 'Yes',
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': 'PLAY'},
'references': [{'date_accessed': None,
'source': 'California Attorney General’s office '
'disclosure',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': 'California '
'Attorney '
'General’s '
'office'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': 'Immediate steps to secure '
'the environment',
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': 'Outside computer '
'forensic experts'},
'threat_actor': 'PLAY ransomware group',
'title': 'Thomas Safran & Associates Data Breach and Ransomware '
'Attack',
'type': 'Ransomware, Data Breach'}}