AIPAC disclosed a criminal cyberattack in a notification submitted to the Maine attorney general’s office on November 14, 2025, saying the incident was linked to an external system breach that involved an unknown third-party company. The filing states the organisation identified the incident during an internal investigation.
The filing says the incident was identified on August 28, 2025, when files stored on AIPAC systems were found to have been accessed without authorization from October 20, 2024, to February 6, 2025. A review of those files showed that names and other personally identifiable information had been taken, and the organisation reported that 810 people were affected, including one resident of Maine.
AIPAC did not specify which specific data types were present in the personal identifiers. The filing and notice warned that personally identifiable information can include Social Security or Taxpayer ID numbers, driver licence or state ID numbers, passport numbers, home addresses, contact details, payment card data and banking information.
The organisation began notifying affected individuals by email on November 13, 2025 and said its review had not found signs of misuse. AIPAC said no group had claimed responsibility for the hack and that, as of the notification, no AIPAC-linked data had appeared on hacker forums.
AIPAC said it is providing 12 months of identity protection through IDX, including credit and CyberScan monitoring, an insurance reimbursement policy and identity recovery support. The group also said it had implemented additional security controls, including posture and non-human identity controls, email data loss prevention, Microsoft 365 access controls, privilege alerts, geolocation restrictions, audit functions and increased monitoring. AIPAC is a United States-based political organisation that works to influence policy related to Israel and to build support in Congress.