AIPAC is reviewing a data breach after discovering that an unauthorized party accessed files containing personal information earlier this year. According to a notice submitted to the Maine Attorney General, the organization identified the incident on August 28 and determined that the attacker accessed data stored between October 20, 2024, and February 6, 2025. AIPAC reported that 810 individuals were affected, including at least one resident of Maine, and began issuing notification letters in mid-November.
The organization said the exposed information may include names, phone numbers, email addresses, and postal addresses. Some individuals may also have had identity documentation or financial details stored in the affected files, although AIPAC has not specified how many records contained those categories of data. The review is ongoing and aims to confirm which documents were accessed and which individuals were directly impacted. AIPAC noted that the incident did not involve ransomware and has not been linked to any public extortion attempt.
AIPAC has not disclosed the method used to obtain access or the system that was compromised. The several-month window during which the attacker accessed stored data suggests the intruder maintained persistent access before detection. Security analysts say that long dwell times can increase the risk of misuse because the attacker may have viewed or extracted multiple file types containing different categories of personal information.
The organization stated that it engaged external cybersecurity support to investigate the incident and has taken steps to secure the affected environment. The ongoing review includes identifying the specific files involved, analysing access logs, and verifying whether additional information was exposed. AIPAC said it will provide further details to regulators as required under state and federal notification rules.
The data types listed in the disclosure can be used in identity theft, phishing attempts, or targeted social engineering. Individuals who receive a notification are advised to monitor accounts for unusual activity and be cautious of unsolicited messages that reference personal details or their association with AIPAC. Analysts note that public affairs organizations often store contact information for supporters, attendees, and donors, which can make these groups appealing targets for threat actors seeking identifiable and high-quality data.