Children’s Council of San Francisco breach exposes PHI of over 12k

A nonprofit that administers childcare funding in San Francisco disclosed a cyber incident that exposed sensitive personal data.

What happened

The Children’s Council of San Francisco notified 12,655 people that their personal information was compromised in a data breach that occurred on August 3, 2025. According to breach notices sent to affected individuals, the incident involved unauthorized access to the organization’s network and the acquisition of data that included names and Social Security numbers. The nonprofit said the issue began as a network disruption and was later determined to involve unauthorized data access. The organization has not disclosed how attackers gained entry or whether the stolen information included data belonging to children served by its programs.

Going deeper

Two weeks after the incident, a ransomware group known as SafePay listed the Children’s Council of San Francisco on its data leak site and claimed responsibility for the attack. The group allegedly demanded payment within 24 hours to delete the stolen information. SafePay uses ransomware based on the LockBit malware family, a strain designed to encrypt files and disrupt operations until a ransom is paid. The gang also employs a double-extortion model, in which attackers encrypt systems and threaten to publish stolen data unless payment is made. The Children’s Council has not publicly confirmed SafePay’s involvement, and details about the attack method, ransom demand, or potential payment remain undisclosed.

What was said

In the notification letter sent to victims, the Children’s Council stated, “On August 3, 2025, ChCo experienced a network disruption. The investigation determined that an unknown actor accessed and acquired certain data without authorization.” The statement appeared in the breach notice distributed to affected individuals when the incident was disclosed in early 2026.

In the know

According to Comparitech, “SafePay is a ransomware gang that started listing the organizations it hacks on its data leak site in November 2024,” using LockBit based ransomware and a double extortion approach where victims must pay to restore systems and prevent stolen data from being released. The report states that “in 2025, SafePay claimed responsibility for 374 ransomware attacks,” with 46 confirmed incidents impacting 17 million people, including a breach at Conduent Business Services affecting 16.7 million individuals. The group is still active in 2026, having claimed 16 additional attacks so far, with one confirmed, and another target, Franze Sales Hause in Germany, reportedly refusing to meet the group’s six figure ransom demand.

The big picture

Comparitech researchers recorded 653 confirmed ransomware attacks on US organizations in 2025, compromising about 43.3 million personal records. Several incidents affected non profits and social service providers, including the Children’s Council of San Francisco and groups such as Bucks County Opportunity Council, Catholic Charities of the Diocese of Albany, North American Family Institute, Elmcrest Children’s Center, and Family & Community Services, with attacks linked to ransomware groups like Money Message, Inc, Qilin, and Interlock. In 2026 so far, researchers have confirmed 21 additional ransomware attacks and are tracking around 700 more claims reported this year.

FAQs

What information was exposed in the Children’s Council breach?

The compromised data included names and Social Security numbers. The organization has not disclosed whether additional information, such as addresses or financial records, was affected.

Did the ransomware group SafePay confirm the attack?

SafePay listed the organization on its data leak site and claimed responsibility, however the Children’s Council has not publicly verified that the group carried out the breach.

What is double-extortion ransomware?

Double-extortion ransomware encrypts an organization’s systems and steals data. Attackers then demand payment to both restore access and prevent the stolen data from being published.

What support is being offered to affected individuals?

The Children’s Council is offering 12 months of credit monitoring and identity theft protection through TransUnion, including up to $1 million in identity theft insurance.

Why do ransomware groups frequently target nonprofits?

Nonprofits often manage large volumes of personal information while operating with smaller cybersecurity teams and budgets, making them attractive targets for attackers seeking sensitive data or ransom payments.