Impacted by the CrowdStrike incident?
Read our response
Breaches
Stolen Data: National PTA Database Available on Dark Web
BlogBreachesResourcesNews

Stolen Data: National PTA Database Available on Dark Web

UpGuard Team
UpGuard Team
Published May 14, 2024

Table of contents

Dropdown chevron

Scope

  • Company: National Parent Teacher Association 
  • Company HQ: Alexandria, Virginia
  • Industry: Education
  • Data Exposed: 70K rows of data
  • Data Types: Certificates of insurance with names, details, and physical addresses (70k rows); A list of schools and colleges (22k rows); institutional information on registrants, partial payment information, and PTO member details, including names, addresses, email addresses, and expiration dates.
  • Impact: PTA organizations, The National PTA, and schools associated with PTA.
  • Exposure Vector: DarkWeb Data Sales
  • Asking price for data: 4 “credits” (approximately 1 Euro)

The dark web offers forums for hackers and other cybercriminals to buy and sell stolen data. Valuable data comes in many forms. Just in the last week, Dell customer order records, Zscaler credentials, and a jewelry clientele database were posted for purchase. On May 13th, UpGuard discovered a new set of data recently posted on a prominent dark web forum, this time allegedly belonging to the National Parent Teacher Association. This dataset, which is claimed to have been obtained during a March 2024 data breach, collects over 77,000 records, including personal and institutional details such as names, physical addresses, email addresses, and even partial payment information. 

According to the National PTA website, the PTA is “the oldest and largest child advocacy association in America. PTA is composed of millions of parents, teachers, grandparents, caregivers, foster parents, and other caring adults who share a commitment to improving the education, health, and safety of all children.”

Data Leaked

UpGuard obtained and verified the sample database posted on the dark web forum, which appears legitimate. The information spans nine years, 2015-2024, and affects people from all 50 US states. The most recent PTO registration dates were from the beginning of March 2024, suggesting cybercriminals exfiltrated the data around that time.

The details include:

  • Certificates of Insurance, with names, addresses, and other relevant details (70k rows)
  • A list of schools and colleges involved with PTA (22k rows)
  • Information on registered institutions
  • Partial payment details
  • PTO membership details, including names, email, physical addresses, school details, and expiration dates (17k rows)

Approximately 17,000 individual email addresses are present, with 12,000 from standard email providers like Gmail, 3,000 from school mail domains, and 2,000 from other mail domains, including people using their business email accounts. 

The data is split into CSV files, each containing different data types.

  • PTO - PTO.csv contains PII that appears to belong to the parents associated with the PTA. There are identifiable natural persons with the same names, cities of residence, and employers as the records in this file. 

Several other files had data related to insurance policies for sporting events, with metadata about the events, policies, and payments. 

  • Payment - The column headers for this file show payment details, such as PMTCheckNum, the 10-digit number of a banking check; PMTPaidAmount, the dollar amount paid; PMTComment, only present on some rows, describes the transaction. These appear to be insurance payments based on other columns that contain liability data and medical insurance carriers.
  • Medical - Contains policy numbers and medical premium dollar values.
  • COIAdditionalInsured - The most extensive file by size, documenting which events have insurance.
  • MasterClient - This file contains contact information for insured people at the relevant schools and organizations.
  • Colleges - This file contains public firmographic information about colleges.

Redacted Data Samples

The sample database provided on the forum showed the data types available in the set.

data from PTA database showing schools and colleges registered with the PTA
Schools and colleges registered with the PTA
dataset from the PTA database showing partial payment details
Partial payment details
dataset on PTA database showing information on schools and organizations related to the PTA
Information on schools and organizations related to the PTA
dataset from pta database showing approximately 17k rows of data were present for PTA affiliate organizations and their contacts
Approximately 17k rows of data were present for PTA affiliate organizations and their contacts

Impact

Aside from the fraud this type of data enables, public and higher education now serve as political battlegrounds, with situations often becoming hostile and dangerous. The details present in this dataset provide the means to harass many individuals and organizations within that landscape. The threat actor offering this data is known for previously selling EUROPOL data. Likewise, the forum the actor posted it on, BreachForum, has already had a previous incarnation seized by the FBI. The entire PTA data set is being offered for 4 “credits,” which equals about 1 euro in value. Essentially, anyone could purchase this set for any reason; it is not being held for a large ransom. This low bar of entry to obtaining stolen data raises the stakes for all leaks and breaches.

Is your organization at risk of a data breach? Collect a FREE snapshot of your security score to find out.

UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.
Contact sales
Free demo

Related breaches

Learn more about the latest issues in cybersecurity.
Florida County Database Mistake: Election Officials’ Logins Among Exposed Data

Florida County Database Mistake: Election Officials’ Logins Among Exposed Data

UpGuard can now disclose that an Amazon S3 storage bucket containing publicly exposed backups of systems representing the intranet and web presence for Martin County, Florida has been secured.
UpGuard Team
UpGuard Team
October 30, 2020
By Design: How Default Permissions on Microsoft Power Apps Exposed Millions

By Design: How Default Permissions on Microsoft Power Apps Exposed Millions

38 million records were exposed in multiple data leaks resulting from misconfigured Microsoft Power Apps portals. Data included sensitive information such as COVID-19 contact tracing data, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses.
UpGuard Team
UpGuard Team
August 23, 2021
Student Applications: How an Education Software Company Exposed Millions of Files

Student Applications: How an Education Software Company Exposed Millions of Files

UpGuard can now report that a public Google Cloud Storage bucket containing approximately 1.5 terabytes of data used to administer funding programs for college students has been secured. The bucket belonged to SmarterSelect, a company that provides software for managing the application process for scholarships, grants, and awards. The more than 2.8 million files included documents like transcripts, resumes, personal essays, tax returns, and invoices for approximately 1.2 million applications to funding programs.
UpGuard Team
UpGuard Team
November 22, 2021
Stolen Data: National PTA Database Available on Dark Web

Stolen Data: National PTA Database Available on Dark Web

On May 13th, UpGuard discovered a new set of data recently posted on a prominent dark web forum, this time allegedly belonging to the National Parent Teacher Association.
UpGuard Team
UpGuard Team
May 14, 2024
Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts

Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts

Account details for up to 14 million Verizon customers have been left totally exposed by a third-party vendor.
UpGuard Team
UpGuard Team
July 12, 2017
Enterprise Scale: How Public Storage Buckets Leaked Private Credentials

Enterprise Scale: How Public Storage Buckets Leaked Private Credentials

Several large storage buckets under the control of Hortonworks were configured for public access, exposing credentials and other internal data.
UpGuard Team
UpGuard Team
August 24, 2020
View all breaches
Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Free score
Website Security scan resultsWebsite Security scan rating
UpGuard logo
UpGuard is a complete third-party risk and attack surface management platform.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Contact sales
Free trial
Products
Tools
Company
Insights
Products
Compare
Solutions
Company
Insights
© UpGuard, Inc.
Research GuidelinesPlatform Terms & ConditionsWebsite Terms & ConditionsPrivacyCookies