.jpg)
Key facts: CHP 11-99 Foundation data breach
- Date reported: February 3, 2026.
- Unauthorized access period: September 16, 2025 – September 24, 2025.
- Target entity: CHP 11-99 Foundation (chp11-99.org).
- Cause: Business Email Compromise (BEC) following a phishing link.
- Data types: Full names, addresses, Social Security numbers, driver’s license numbers, and bank/credit card information.
- Records involved: Undisclosed number of members and donors.
- Severity: Medium; the organization is offering 12 months of credit monitoring via Kroll.
What happened in the CHP 11-99 Foundation data breach?
The CHP 11-99 Foundation (chp11-99.org), a nonprofit supporting California Highway Patrol employees, reported a significant data security incident on February 3, 2026. The breach originated on September 16, 2025, when a staff member received a suspicious email. Following protocol, the staff member forwarded the email to their external IT service provider for verification. The help desk mistakenly identified the link as "clean," leading the employee to click it and inadvertently grant an attacker full access to their email account.
The unauthorized access remained undetected until September 24, 2025, when the attacker attempted to use the compromised account to launch a secondary phishing attack against the same IT help desk. Forensic investigations confirmed that the attacker had full access to all email folders, including attachments such as membership applications, merchandise orders, and payment forms. Notification letters were sent to affected individuals in late January and early February 2026.
Who is behind the incident?
The specific threat actor or group behind the attack has not been identified. The methods used—phishing and business email compromise—are common tactics for financially motivated cybercriminals. Notably, the attacker attempted to pivot from the Foundation’s email account to target their external service provider, suggesting a sophisticated interest in higher-level access beyond the initial nonprofit target. In response to the service provider's error, the Foundation has indicated plans to transition to a new IT and security partner.
Impact and risks for CHP 11-99 Foundation customers
For members and donors of the CHP 11-99 Foundation, the exposure of high-sensitivity data such as Social Security numbers, driver’s license numbers, and banking details creates a serious risk of identity theft and financial fraud. Malicious actors could potentially use these identifiers to open fraudulent credit lines, file false tax returns, or conduct unauthorized bank transfers.
Beyond financial risks, the exposure of personal contact information increases the likelihood of targeted "spear-phishing" attacks. Because the attacker successfully impersonated a staff member once, they may attempt to contact donors again using the stolen information to appear legitimate. Affected individuals are eligible for 12 months of complimentary identity monitoring and fraud consultation through Kroll. It is highly recommended that victims activate these services and consider a security freeze on their credit files.
Frequently asked questions
What happened in the CHP 11-99 Foundation security breach?
An attacker gained full access to a CHP 11-99 Foundation staff member's email account after the organization's IT help desk incorrectly verified a phishing link as safe. This allowed the attacker to view sensitive documents, including membership and payment forms, for approximately eight days in September 2025.
When did the CHP 11-99 Foundation breach occur?
The unauthorized access occurred between September 16 and September 24, 2025. While the incident was detected in late September, the formal public disclosure and individual notifications were issued on February 3, 2026.
What data was exposed?
The breach potentially compromised full names, mailing addresses, email addresses, driver’s license numbers, Social Security numbers, and bank or credit card information found within the staff member’s email folders.
Is my personal information at risk?
If you have submitted a membership application, purchased merchandise, or made a donation to the Foundation, your data may have been stored in the compromised email account. The Foundation has mailed notice letters to those specifically identified as affected. If you received this letter, your personal information is considered at risk.
How can I protect myself after the CHP 11-99 Foundation data breach?
- Enroll in the free 12-month credit monitoring service provided by Kroll.
- Change the passwords for your email and any financial accounts that share similar login credentials.
- Enable multi-factor authentication (MFA) on all sensitive accounts.
- Monitor your bank and credit card statements closely for any unauthorized transactions.
- Contact the three major credit bureaus—Equifax, Experian, and TransUnion—to place a fraud alert or security freeze on your credit report.
What steps should companies take after being impacted by the CHP 11-99 Foundation breach?
After a breach, companies should immediately secure the affected accounts, conduct a forensic investigation to determine the data scope, and notify law enforcement and affected individuals. The CHP 11-99 Foundation has since hardened its security protocols, implemented MFA across its systems, and is in the process of replacing its IT service provider.
.jpg)
.jpg)
