The American Israel Public Affairs Committee (AIPAC) has reported a data breach stemming from a compromise of an external system managed by an unidentified third-party service provider. This breach was publicly disclosed in a notification to the Maine attorney general’s office on November 14, 2025.
Extended Unauthorized Access
According to the official filing, the breach was detected on August 28, 2025, revealing that files within AIPAC’s data systems were accessed without authorization from October 20, 2024, to February 6, 2025. Investigations indicate that personal identifiers, including names, were compromised during this unauthorized access.
A total of 810 individuals were affected by the breach, which included one resident of Maine. While AIPAC has not disclosed the specific types of personal information involved, such identifiers—often referred to as PII—typically include sensitive data such as Social Security Numbers, driver’s license numbers, state ID numbers, passport numbers, home addresses, contact details, and financial information.
“We are writing to notify you that the American Israel Public Affairs Committee (“AIPAC” or the “Organization”) was the subject of a criminal cyberattack (the “Incident”).
(…)
“Through its extensive investigation, AIPAC determined that the Incident resulted in unauthorized access to certain files stored on its information systems. The Organization then undertook the time- and resource-intensive steps of determining whether those files contained personally identifiable information (“PII”) and to identify the data subjects to whom that PII related.”
Snippet from AIPAC Notification
AIPAC initiated notifications to affected individuals via email on November 13, 2025. The communication reassured recipients that, as of this date, there had been no indications of misuse of compromised data. Notably, there has been no claim of responsibility for the attack, and no leaked AIPAC-related data has appeared in underground hacker forums to date.
In response to this incident, AIPAC is offering identity protection services for twelve months through IDX. This service package encompasses credit monitoring, CyberScan detection, insurance reimbursement for identity theft, and support for identity recovery.
Following the breach, AIPAC has implemented enhanced security measures to bolster its defenses. These new controls include posture management, non-human identity verification, email data loss prevention strategies, Microsoft 365 access restrictions, alert systems for privilege escalation, geolocation constraints, and a more robust monitoring protocol.
Understanding AIPAC
AIPAC operates as a prominent political organization in the United States, devoted to influencing policies that affect U.S.-Israel relations. Its activities include lobbying support in Congress, mobilizing resources for advocacy efforts, and promoting legislation aligned with its initiatives. AIPAC stands out as one of the most active groups in Washington, D.C., and it actively engages with legislators, their staff, and supporters to further its objectives.
This incident underscores the vulnerabilities many organizations face, particularly those managing sensitive information. With AIPAC as a target, tactics such as initial access and persistence were likely employed to maintain unauthorized visibility into their systems, reflecting a growing trend where cyberattacks exploit external relationships to infiltrate networks.
