Stolen Data: National PTA Database Available on Dark Web

UpGuard Team
UpGuard Team
Published May 14, 2024


  • Company: National Parent Teacher Association 
  • Company HQ: Alexandria, Virginia
  • Industry: Education
  • Data Exposed: 70K rows of data
  • Data Types: Certificates of insurance with names, details, and physical addresses (70k rows); A list of schools and colleges (22k rows); institutional information on registrants, partial payment information, and PTO member details, including names, addresses, email addresses, and expiration dates.
  • Impact: PTA organizations, The National PTA, and schools associated with PTA.
  • Exposure Vector: DarkWeb Data Sales
  • Asking price for data: 4 “credits” (approximately 1 Euro)

The dark web offers forums for hackers and other cybercriminals to buy and sell stolen data. Valuable data comes in many forms. Just in the last week, Dell customer order records, Zscaler credentials, and a jewelry clientele database were posted for purchase. On May 13th, UpGuard discovered a new set of data recently posted on a prominent dark web forum, this time allegedly belonging to the National Parent Teacher Association. This dataset, which is claimed to have been obtained during a March 2024 data breach, collects over 77,000 records, including personal and institutional details such as names, physical addresses, email addresses, and even partial payment information. 

According to the National PTA website, the PTA is “the oldest and largest child advocacy association in America. PTA is composed of millions of parents, teachers, grandparents, caregivers, foster parents, and other caring adults who share a commitment to improving the education, health, and safety of all children.”

Data Leaked

UpGuard obtained and verified the sample database posted on the dark web forum, which appears legitimate. The information spans nine years, 2015-2024, and affects people from all 50 US states. The most recent PTO registration dates were from the beginning of March 2024, suggesting cybercriminals exfiltrated the data around that time.

The details include:

  • Certificates of Insurance, with names, addresses, and other relevant details (70k rows)
  • A list of schools and colleges involved with PTA (22k rows)
  • Information on registered institutions
  • Partial payment details
  • PTO membership details, including names, email, physical addresses, school details, and expiration dates (17k rows)

Approximately 17,000 individual email addresses are present, with 12,000 from standard email providers like Gmail, 3,000 from school mail domains, and 2,000 from other mail domains, including people using their business email accounts. 

The data is split into CSV files, each containing different data types.

  • PTO - PTO.csv contains PII that appears to belong to the parents associated with the PTA. There are identifiable natural persons with the same names, cities of residence, and employers as the records in this file. 

Several other files had data related to insurance policies for sporting events, with metadata about the events, policies, and payments. 

  • Payment - The column headers for this file show payment details, such as PMTCheckNum, the 10-digit number of a banking check; PMTPaidAmount, the dollar amount paid; PMTComment, only present on some rows, describes the transaction. These appear to be insurance payments based on other columns that contain liability data and medical insurance carriers.
  • Medical - Contains policy numbers and medical premium dollar values.
  • COIAdditionalInsured - The most extensive file by size, documenting which events have insurance.
  • MasterClient - This file contains contact information for insured people at the relevant schools and organizations.
  • Colleges - This file contains public firmographic information about colleges.

Redacted Data Samples

The sample database provided on the forum showed the data types available in the set.

data from PTA database showing schools and colleges registered with the PTA
Schools and colleges registered with the PTA
dataset from the PTA database showing partial payment details
Partial payment details
dataset on PTA database showing information on schools and organizations related to the PTA
Information on schools and organizations related to the PTA
dataset from pta database showing approximately 17k rows of data were present for PTA affiliate organizations and their contacts
Approximately 17k rows of data were present for PTA affiliate organizations and their contacts


Aside from the fraud this type of data enables, public and higher education now serve as political battlegrounds, with situations often becoming hostile and dangerous. The details present in this dataset provide the means to harass many individuals and organizations within that landscape. The threat actor offering this data is known for previously selling EUROPOL data. Likewise, the forum the actor posted it on, BreachForum, has already had a previous incarnation seized by the FBI. The entire PTA data set is being offered for 4 “credits,” which equals about 1 euro in value. Essentially, anyone could purchase this set for any reason; it is not being held for a large ransom. This low bar of entry to obtaining stolen data raises the stakes for all leaks and breaches.

Is your organization at risk of a data breach? Collect a FREE snapshot of your security score to find out.

UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.

Related breaches

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating