When cybercriminals target a hospital or a bank, the public outrage is immediate and visceral. But when attackers go after a nonprofit that serves low-income families, immigrant communities, and children under the age of 13, the breach carries a different weight entirely — one measured not just in stolen data, but in the betrayal of trust placed in an organization designed to protect society’s most vulnerable.

The Children’s Council of San Francisco (ChCo) has confirmed that a data breach affecting 12,655 individuals occurred on August 3, 2025, after an unauthorized actor gained access to the organization’s network and acquired sensitive personal data. The breach was reported to the Maine Attorney General and multiple other state regulators in early March 2026, with notification letters mailed to affected individuals beginning February 27, 2026.

Two weeks after the initial intrusion, the SafePay ransomware gang — a LockBit-derived group responsible for hundreds of attacks and breaches affecting millions of records in 2025 alone — claimed responsibility for the attack on its dark web data leak site, demanding a ransom within 24 hours.

A class action lawsuit has already been filed in San Francisco County Superior Court, and multiple law firms are investigating additional claims on behalf of affected individuals.

What Is the Children’s Council of San Francisco?

To understand the gravity of this breach, you need to understand what the Children’s Council does — and who it serves.

Founded in 1973, the Children’s Council of San Francisco is one of the Bay Area’s largest and most critical childcare resource organizations. It operates as a nonprofit contractor of the California Department of Social Services, San Francisco City, and San Francisco County, serving as the primary intermediary between public funding and the childcare ecosystem.

The organization’s core functions include:

  • Childcare referral services — helping families find available childcare providers
  • Financial assistance programs — administering subsidies for low-income families who can’t afford childcare
  • Provider support — licensing, training, and resources for childcare programs and early education providers
  • Family workshops — health, nutrition, and parenting resources
  • Multilingual services — support in English, Spanish, Cantonese, Mandarin, Russian, and Vietnamese

The Children’s Council administers an annual budget of nearly $250 million and employs over 160 people. It serves as the financial backbone for childcare access in San Francisco, processing subsidy payments, managing provider credentials, and maintaining records for thousands of families, childcare workers, and educators.

The nature of this work means the Council collects and stores extraordinarily sensitive information: Social Security numbers for tax and subsidy purposes, immigration documents for eligibility verification, medical records for children and caregivers, financial data for means-testing, and driver’s licenses and state IDs for identity verification.

In short, the Children’s Council holds exactly the kind of data that makes a ransomware attack devastating — and the people it holds that data for are exactly the people least equipped to absorb the consequences.

The Breach Timeline: From Intrusion to Notification

The breach unfolded over a painfully long timeline, with nearly seven months passing between the initial intrusion and the start of victim notifications:

August 3, 2025: The Network Disruption

According to the Council’s breach notification letters, the organization “experienced a network disruption” on August 3, 2025. This is the standard euphemism for a ransomware attack — the disruption likely involved encrypted systems, disabled services, and operational chaos.

The Council secured its network and engaged cybersecurity experts to investigate the scope of the incident.

August 19, 2025: SafePay Claims Responsibility

Just 16 days after the breach, the SafePay ransomware group posted the Children’s Council of San Francisco on its dark web data leak site, claiming to have obtained sensitive data from the organization’s network. The group demanded a ransom payment within 24 hours to delete the stolen data.

It is not publicly known whether the Children’s Council paid the ransom. The Council has not acknowledged SafePay’s claim in its public communications, and the organization did not respond to media inquiries from Comparitech.

Investigation and Review

Following the breach, the Council engaged a third-party vendor to review the affected data and determine the full scope of personal information compromised. This review process took months.

February 23, 2026: Scope Confirmed

Nearly seven months after the intrusion, the Children’s Council confirmed the full scope of the breach and identified the specific individuals affected.

February 27, 2026: Notification Begins

The Council began mailing data breach notification letters to the 12,655 affected individuals. The letters detailed the types of information compromised (which varied by individual) and offered 12 months of free credit monitoring and $1 million in identity theft insurance through TransUnion.

March 2–3, 2026: State Regulatory Filings

Breach notifications were filed with attorneys general in Maine, California, Massachusetts, New Hampshire, and Vermont. According to the Maine filing, the breach affected 12,655 individuals nationwide, including one Maine resident and one New Hampshire resident.

March 10, 2026: First Lawsuit Filed

A data breach class action lawsuit — Nikkia Adams v. Children’s Council of San Francisco (CGC-26-634679) — was filed in San Francisco County Superior Court.

What Data Was Exposed

The information compromised in the breach varies by individual, but the full scope of potentially exposed data types is disturbingly broad. According to regulatory filings and law firm investigations, the following categories were affected:

  • Names
  • Social Security numbers
  • Driver’s license numbers
  • State identification numbers
  • Tax identification numbers
  • USCIS/Alien registration numbers
  • Passport numbers
  • Personal medical information
  • Health insurance ID numbers
  • Health insurance information

This is an exceptionally comprehensive data set. The inclusion of USCIS/Alien registration numbers and passport numbers is particularly alarming, as it suggests that immigration-related documents were among the compromised files. Given that the Children’s Council serves immigrant communities and processes eligibility documentation for public assistance programs, this data likely belongs to some of the most vulnerable individuals in the affected population.

For undocumented or recently documented families, the exposure of immigration records carries risks that extend far beyond financial fraud — it could have implications for immigration status, asylum proceedings, and personal safety.

The SSN Problem

Social Security numbers are the cornerstone of identity theft. Unlike a credit card number (which can be cancelled and reissued), a Social Security number is effectively permanent. Once exposed, it creates a lifetime of vulnerability. For the 12,655 individuals whose SSNs were compromised in this breach, the risk doesn’t expire when the free credit monitoring runs out in 12 months — it persists indefinitely.

For children whose SSNs were potentially exposed (the breach notification does not specify whether children’s records were compromised, but given the organization’s mission, the possibility is significant), the risk is even more acute. Child identity theft often goes undetected for years because parents rarely check their children’s credit reports. By the time the theft is discovered — often when the child applies for their first job or student loan — the damage can be extensive.

Who Is SafePay?

SafePay is a ransomware group that emerged in late 2024 and has rapidly become one of the more prolific operators in the ransomware ecosystem. The group uses ransomware built on the LockBit Black builder — a toolkit that leaked from the notorious LockBit ransomware gang following law enforcement actions.

Origins and Methods

SafePay’s first known attacks trace back to September 2024, according to Bitdefender research. The group emerged in the power vacuum left by the dismantling of ALPHV/BlackCat by law enforcement and the subsequent disruption of LockBit operations.

SafePay employs a double-extortion model: encrypting victim systems to disrupt operations (demanding ransom for decryption) while simultaneously exfiltrating data and threatening to publish it if the ransom isn’t paid. This dual-threat approach maximizes pressure on victims, who face both operational paralysis and the prospect of sensitive data being dumped publicly.

The group operates a data leak site on the Tor network where it lists victims and publishes stolen data when ransoms go unpaid.

2025 Track Record

SafePay was extraordinarily active in 2025. According to Comparitech’s tracking:

  • 374 ransomware attacks claimed by SafePay in 2025
  • 46 organizations confirmed the attacks
  • 17 million people notified of resulting data breaches
  • Conduent Business Services — the largest confirmed SafePay breach, notifying 16.7 million people

The group has shown a willingness to target organizations of all types and sizes, including social service organizations, municipalities, educational institutions, and manufacturers across multiple continents.

Targeting Nonprofits and Social Services

The Children’s Council is far from SafePay’s only social service target. Other nonprofit and social service organizations hit by ransomware in 2025 include:

  • Bucks County Opportunity Council (PA) — breached by Money Message
  • Catholic Charities of the Diocese of Albany (NY) — breached by Inc
  • North American Family Institute (MA) — breached by Qilin
  • Elmcrest Children’s Center (NY) — breached by Interlock
  • Family & Community Services (OH) — breached by Qilin
  • Franz Sales Haus (Germany) — targeted by SafePay itself, which refused to pay the six-figure ransom demand

The pattern is clear: ransomware gangs increasingly view nonprofits and social service organizations as attractive targets. These organizations often have limited cybersecurity budgets, outdated infrastructure, and large stores of sensitive personal data — a combination that makes them both vulnerable to attack and potentially willing to pay a ransom to protect the people they serve.

Existing Lawsuit

The first class action lawsuit was filed on March 10, 2026: Nikkia Adams v. Children’s Council of San Francisco (CGC-26-634679) in San Francisco County Superior Court. The case alleges that the Council failed to adequately protect the personal information entrusted to it.

Law Firm Investigations

Multiple law firms have announced investigations or active recruitment of potential class members:

California’s Strong Data Protection Laws

This breach occurred under California’s legal framework, which provides some of the strongest consumer data protection laws in the country. Relevant statutes include:

  • California Consumer Privacy Act (CCPA): Grants consumers rights over their personal information and allows private lawsuits for data breaches resulting from a business’s failure to maintain reasonable security measures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.

  • California Customer Records Act (Civ. Code § 1798.80 et seq.): Requires businesses that own or license personal information to implement reasonable security measures and provides for notification in the event of a breach.

  • California Data Breach Notification Law (Civ. Code § 1798.29 & 1798.82): Mandates timely notification to affected individuals and the California Attorney General when a breach affects more than 500 residents.

For 12,655 affected individuals, even the minimum CCPA statutory damages of $100 per person would total $1.27 million. At the maximum of $750 per person, the exposure reaches $9.49 million — a significant sum for a nonprofit organization.

The Notification Delay Problem

One of the most troubling aspects of this breach is the timeline. The intrusion occurred on August 3, 2025. SafePay claimed responsibility on August 19, 2025. But notifications to affected individuals didn’t begin until February 27, 2026 — nearly seven months after the attack and more than six months after a ransomware gang publicly advertised the breach.

During those seven months, the compromised data was potentially available to criminals while affected individuals had no idea they were at risk. They weren’t monitoring their credit, weren’t watching for fraudulent insurance claims, weren’t alert to phishing attempts using their stolen personal details.

California law requires breach notifications to be made “in the most expedient time possible and without unreasonable delay.” Whether a seven-month delay qualifies as “unreasonable” will likely be a central issue in the pending litigation.

The Children’s Council will likely argue that the delay was necessary to complete its investigation and accurately identify affected individuals — a process that required engaging third-party vendors to review the compromised data set. This is a common defense, and courts have generally accepted that some investigation time is reasonable. But seven months stretches the boundaries of that argument, particularly when the breach was publicly attributed by the attackers within weeks of the incident.

Impact on Vulnerable Populations

The human dimension of this breach cannot be overstated. The Children’s Council serves:

  • Low-income families receiving childcare subsidies — families who are already financially stretched and least able to absorb the costs of identity theft remediation
  • Immigrant families whose USCIS records, alien registration numbers, and passport information may now be in criminal hands
  • Children under 13 whose identity information may have been compromised before they’re old enough to understand what that means
  • Childcare providers and educators — often low-wage workers who depend on the Council for professional credentials and financial support
  • Families requiring multilingual services — communities that may face language barriers in understanding breach notifications and navigating the credit monitoring enrollment process

The Council’s offer of 12 months of free credit monitoring through TransUnion, while standard, is arguably insufficient for a breach of this nature. SSN exposure creates permanent risk, and 12 months of monitoring does little to address the long-term vulnerability. The $1 million identity theft insurance policy is a more meaningful remediation, but its effectiveness depends on victims knowing how to file claims and navigate the process — a challenge for populations with limited English proficiency or limited experience with financial systems.

What Affected Individuals Should Do

If you received a breach notification letter from the Children’s Council of San Francisco, take these steps immediately:

Priority Actions

  1. Enroll in the free credit monitoring — TransUnion is offering 12 months of monitoring and $1 million in identity theft insurance. The enrollment deadline is 90 days from the date on your notice letter. Don’t delay.

  2. Place a credit freeze with all three major credit bureaus:

    • Equifax: 1-888-298-0045
    • Experian: 1-888-397-3742
    • TransUnion: 1-800-916-8800

  3. If children’s information was compromised, check whether a credit file exists for your child at each bureau. If one exists and you didn’t create it, that’s a red flag for identity theft.

  4. File an IRS Identity Protection PIN request at irs.gov/ippin to prevent tax fraud using your stolen SSN.

  1. If your USCIS number, alien registration number, or passport number was exposed, contact USCIS at 1-800-375-5283 to report the potential compromise and discuss protective measures.

  2. Monitor your immigration case for any unauthorized changes or filings.

Ongoing Vigilance

  1. Review your credit reports regularly at AnnualCreditReport.com — you’re entitled to free reports from each bureau weekly through the end of 2026.

  2. Watch for phishing — criminals may use your stolen personal details to craft convincing phishing emails or phone calls that reference the Children’s Council or your childcare arrangements.

  3. Report identity theft to the FTC at identitytheft.gov or 1-877-438-4338.

  4. Consult a data breach attorney — several firms are actively investigating claims and offer free consultations.

The Nonprofit Cybersecurity Crisis

The Children’s Council breach is symptomatic of a larger crisis in nonprofit cybersecurity. These organizations face a fundamental tension: they collect and store highly sensitive data about vulnerable populations, but they typically operate on thin margins with limited technology budgets and small (or nonexistent) IT security teams.

A 2025 report from Comparitech documented 653 confirmed ransomware attacks on U.S. organizations in 2025, compromising approximately 43.3 million personal records. Nonprofits and social service organizations represented a growing share of these attacks.

The economics of ransomware create a perverse incentive: nonprofits are cheap to attack (low security), hold valuable data (SSNs, medical records, immigration documents), and face enormous pressure to pay (they can’t afford extended downtime and their mission involves protecting vulnerable people). For ransomware gangs like SafePay, a nonprofit that administers $250 million in public childcare funding is not a sympathetic target to be spared — it’s a lucrative one to be exploited.

Addressing this crisis requires a multi-pronged approach:

  • Dedicated cybersecurity funding from government grants and philanthropic sources for nonprofits handling sensitive data
  • Shared security services through nonprofit technology cooperatives or managed security service providers specializing in the sector
  • Regulatory guidance that accounts for the resource constraints of nonprofits while maintaining data protection standards
  • Mandatory cyber insurance for organizations that handle sensitive personal data, regardless of sector
  • Incident response planning tailored to organizations with limited IT staff

Until these systemic issues are addressed, breaches like the Children’s Council incident will continue — and the people who pay the price will continue to be those who can least afford it.

Timeline Summary

DateEvent
1973Children’s Council of San Francisco founded
August 3, 2025Network disruption (breach occurs)
August 19, 2025SafePay ransomware gang claims responsibility on dark web
February 23, 2026Full scope of breach confirmed
February 27, 2026Breach notification letters begin mailing to 12,655 individuals
March 2–3, 2026Regulatory filings submitted to CA, ME, MA, NH, VT attorneys general
March 4–18, 2026Multiple law firms announce class action investigations
March 10, 2026First lawsuit filed: Adams v. Children’s Council (SF Superior Court)

If you were affected by the Children’s Council of San Francisco data breach, we recommend consulting with a data breach attorney to understand your legal options. This article is for informational purposes only and does not constitute legal advice.

Sources: