The Children’s Council of San Francisco has notified more than 12,000 individuals that their personal information was compromised in a cyberattack discovered last year.
According to breach notification letters, the incident occurred on August 3, 2025, when the organization experienced what it described as a network disruption. An investigation later found that an unauthorized actor had accessed and obtained certain data.
“On August 3, 2025, ChCo experienced a network disruption,” the Council said in its notice to affected individuals.
“The investigation determined that an unknown actor accessed and acquired certain data without authorization.”
The compromised information includes names and Social Security numbers belonging to 12,655 people.
The notice did not specify whether the affected data included information related to children served by the organization. About two weeks after the breach occurred, a ransomware group known as SafePay claimed responsibility for the attack on its data leak website.
The group reportedly demanded payment within 24 hours in exchange for deleting the stolen data. The Children’s Council has not confirmed the claim made by SafePay, and it remains unclear how attackers gained access to the organization’s systems.
The nonprofit has not disclosed whether a ransom demand was paid.
The organization said it is offering individuals affected by the breach free identity protection services.
Victims can enroll in 12 months of credit monitoring and receive identity theft insurance coverage of up to one million dollars through TransUnion. The offer is available for 90 days from the date of the notification letter.
SafePay is a ransomware operation that began publicly listing its victims on a leak site in November 2024. The group uses ransomware based on the LockBit strain and typically employs a double extortion strategy, demanding payment both to restore encrypted systems and to prevent the release of stolen data.
In 2025, SafePay claimed responsibility for 374 ransomware attacks. Of those, 46 organizations confirmed the incidents and reported data breaches affecting about 17 million people. One of the largest involved Conduent Business Services, which notified approximately 16.7 million individuals that their data had been exposed.
The group continues to be active in 2026 and has already taken credit for more than a dozen additional attacks, although only one of those has been confirmed so far.
Ransomware incidents targeting organizations in the United States remain widespread.
Researchers tracked 653 confirmed ransomware attacks against U.S. organizations in 2025, exposing roughly 43.3 million personal records.
Several nonprofit and social service organizations have been among the victims. Recent incidents have affected groups such as Bucks County Opportunity Council in Pennsylvania, Catholic Charities of the Diocese of Albany in New York, North American Family Institute in Massachusetts, Elmcrest Children’s Center in New York and Family and Community Services in Ohio.
The Children’s Council of San Francisco is a nonprofit that works with government agencies to support childcare and early education services. The organization helps families locate and pay for childcare while distributing public funding to childcare providers that serve infants and children up to age 13.
According to its website, the nonprofit administers an annual budget of nearly 250 million dollars and partners with the California Department of Social Services as well as local government agencies in San Francisco.
