Posted as a guest editorial on PennLive.com on March 29th
David R. Osborne and William “Chip” Rogers
The American Federation of Teachers (AFT) recently sued the Department of Government Efficiency (DOGE) over concerns about Elon Musk’s crew gaining access to the personal information of union members. In a statement, AFT President Randi Weingarten said union members “expect that data to be protected and used for the reasons it was intended, not appropriated for other means.” She highlighted the need for “a firewall between actors [who] … lack the legitimacy and authority to access Americans’ personal data and are using it inappropriately, without any safeguards.”
However, judging by recent events, union bosses like Weingarten should focus less on DOGE and more on what’s happening within their organizations, such as the Pennsylvania State Education Association (PSEA). It took PSEA, the state’s largest teacher union, more than eight months to fess up to a dark web cyber breach. On July 6, 2024, Hackers accessed personal information of more than 500,000 people, including driver’s licenses, social security numbers, banking and medical information, and passport numbers. The cyberattack provoked a months-long investigation by the union, which ended Feb. 18, 2025. Yet, it wasn’t until March 17, 2025, that PSEA finally gave its members an account of what happened. To be fair, PSEA may not have learned about the breach immediately. However, reports about the hack emerged six months ago. On Sept. 9, 2024, Rhysida, an infamous hacker group, publicly claimed responsibility for the attack, posting a threat to leak the personal information online and demanding a ransom of 20 Bitcoins (about $1.1 million at the time of the breach). SecurityWeek, a cybersecurity news site, reported the Rhysida threat and ransom demand. At some point between the breach and the news story breaking, Rhysida removed the post, leaving some to wonder if PSEA paid the ransom.
Rather than admit their mistake, union leadership left its members in the dark for months. People who experience identity theft can still protect themselves by filing a police report or freezing their credit. But, without any knowledge, PSEA members had no reason to take defensive action, leaving their personal information susceptible to thieves and hackers.
Unfortunately, what happened to PSEA isn’t an isolated incident. Hackers increasingly see unions as easy targets with minimal security and deep pockets.
Last year, Service Employees International Union Local 1000, which serves 100,000 California state employees, also fell victim to ransomware. And in a similar lack of transparency, the California union masked what happened behind vagaries and euphemisms, calling the crime “a network disruption by an outside actor.”
This dereliction of duty comes at a great cost. Following another data breach, UNITE HERE, a New York-based labor union that exposed 800,000 people to a data breach, paid $6 million in out-of-court settlement. In 2023, a Boston union lost $6.4 million of member health funds to hackers.
Most corporations have sensitive personal information. And that comes with a duty to protect it. This duty to invest in security measures to ensure hackers can’t access it makes consumers feel more comfortable voluntarily providing what would otherwise be confidential.
However, not all union members voluntarily provide their personal information to their unions. Often, unions procure personal information without consent. Sometimes, public sector employers, such as school districts, disclose their employees’ private information to unions without seeking worker permission. Unions also negotiate access during the collective bargaining process. Often, employees have no idea their union has access to this information.
And why do unions need this information? Unions have increasingly become political actors, mobilizing their resources (i.e., member dues) for political campaigns and other non-employment-based activities. Unions also use the information for collections of unpaid dues.
If you’re a union member, now is the time to ask your union the hard questions. What personal information does your union have? How did they obtain it? Why do they need it? What are they doing to protect it? Are your union bosses genuinely trustworthy, responsible stewards with your best interests in mind?
If your union cannot answer these questions, you must ask: Why should anybody trust such a negligent organization? Union members deserve the same “firewall” demanded by Weingarten—only this time between members and their neglectful union bosses.