The American Israel Public Affairs Committee (AIPAC), a prominent non-profit organization advocating for pro-Israel policies, has disclosed a significant data breach that compromised the sensitive information of hundreds of individuals.
According to a recent notification filed with the Maine Attorney General, hackers accessed systems containing personal identifiers, payment card details, and banking information.
This incident, which spanned from October 20, 2024, to February 6, 2025, affected a total of 810 people, including just one resident of Maine.
The breach highlights ongoing cybersecurity risks for advocacy groups handling donor and member data, potentially exposing victims to identity theft and financial fraud.
AIPAC’s headquarters at 251 H St NW in Washington, NY (zip code 20001), serves as the base for its operations.
The organization works to strengthen U.S.-Israel relations through lobbying and educational efforts.
However, this external hacking incident underscores vulnerabilities in non-profit IT infrastructures, where budget constraints often limit advanced defenses such as multi-factor authentication and real-time intrusion detection systems.
Hackers likely exploited unpatched software or weak network perimeters to infiltrate the systems, a common tactic in targeted attacks on political entities.
The stolen data included names combined with financial specifics, such as credit card numbers and bank account details, which could enable unauthorized transactions or phishing schemes.
Breach Discovery and Investigation
AIPAC discovered the breach on April 20, 2027, well after the intrusion period ended, raising questions about detection delays.
In cybersecurity terms, this lag points to potential gaps in monitoring tools, such as endpoint detection and response (EDR) software, which can detect anomalous behavior, such as unusual data exfiltration.
The breach was classified as an external system hack, suggesting that attackers used techniques such as SQL injection or credential stuffing to gain entry.
Once inside, they could have enumerated databases to harvest structured data personal identifiers like Social Security numbers or addresses paired with payment info stored in formats vulnerable to scraping.
The notification, submitted by AIPAC’s counsel, Damon Silver of Jackson Lewis PC, details the scope, excluding any prior breaches reported in the last 12 months.
Silver, reachable at (212) 545-4063, emphasized the organization’s swift response post-discovery.
No evidence indicates that the data has been sold on dark web forums yet. However, experts recommend that affected individuals monitor their accounts closely.
Technical analysis might involve forensic tools like Wireshark for network logs or Volatility for memory dumps to trace the attack vector.
Notification and Protective Measures
On November 13, 2025, AIPAC sent electronic notifications to impacted individuals, including a multi-state letter outlining the incident.
For the single Maine resident, this complies with state laws requiring prompt disclosure for breaches affecting 1,000 or fewer locals no consumer reporting agency alerts were needed.
To mitigate risks, AIPAC partnered with IDX to offer 12 months of comprehensive identity theft protection.
Services include credit monitoring via Equifax, Experian, and TransUnion; CyberScan for dark web surveillance; a $1 million insurance policy covering fraud losses; and fully managed recovery assistance, where experts handle disputes with banks and credit bureaus.
This breach comes amid rising cyber threats to non-profits, with similar incidents targeting groups like the NRA and the ACLU in recent years.
Victims should enable transaction alerts, freeze credit reports, and use virtual card numbers for future donations.
AIPAC urges caution against scam emails claiming to be from the organization. As investigations continue, the full impact remains unclear.
However, it serves as a reminder to use robust encryption for sensitive data, such as tokenizing payment information to prevent direct exposure.
Strengthening zero-trust architectures could prevent future exploits, ensuring donor trust in advocacy work.
, a prominent non-profit organization advocating for pro-Israel policies, has){kind=link}