The Phoenix Art Museum in Arizona yesterday confirmed it notified an undisclosed number of people about a December 2025 data breach that compromised their names and Social Security numbers.
The Museum said it identified unauthorized access to it systems on December 8, 2025, when it took steps to secure the network and launch an investigation.
A cybercriminal group called Rhysida took credit for the breach on February 12, 2026. On its data leak website, the group said it stole data from the Museum and demanded 10 bitcoin in ransom, worth about $667,000 at the time.
The Phoenix Art Museum has not acknowledged Rhysida’s claim and Comparitech cannot independently verify it. We do not know how many people the museum notified, how attackers breached the museum’s network, or if the museum paid a ransom. Comparitech contacted the Phoenix Art Museum for comment and will update this article if it replies.
“On December 8, 2025, we identified unauthorized access to certain systems within our network,” says the museum’s notice to breach victims. “. The investigation determined that unauthorized access to files occurred on December 3, 2025.”
The museum is offering breach victims free credit monitoring and identity theft insurance through Epiq.
Who is Rhysida?
Rhysida is a cybercriminal group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected devices. Rhysida operates a ransomware-as-a-service business in which affiliates pay Rhysida to use its malware and infrastructure to launch attacks and collect ransoms.
Rhysida claimed responsibility for 92 ransomware attacks in 2025. Of those, 24 were confirmed by the targeted organizations.
The Phoenix Art Museum was Rhysida’s third on a non-profit in 2025. The other two confirmed attacks it claimed were:
- Welthungerhilfe (Germany) reported a May 2025 data breach for which Rhysida demanded $2.15 million
- Hudson River Housing (NY) reported a March 2025 data breach for which Rhysida demanded $744,000
Rhysida is still active in 2026. It’s claimed six more attacks this year to date, one of which has been confirmed.
Ransomware attacks in the USA
Comparitech researchers logged 708 confirmed ransomware attacks on US organizations in 2025. Those attacks compromised nearly 46 million personal records.
In 2026 to date, we’ve tracked 58 attacks affecting more than 110,000 records.
Non-profits are not safe from these attacks. Other recently-confirmed ransomware attacks on non-profit organizations include:
- Children’s Council of San Francisco notified 12,655 people of an August 2025 data breach claimed by SafePay
- National Association on Drug Abuse Programs notified 90,000 people of a January 2026 data breach claimed by Genesis
- Goodwill Industries International reported a March 2026 data breach claimed by Interlock
Ransomware attacks can both lock down computer systems and steal data from them. An infected organization must then choose between paying a ransom to restore systems and secure the stolen data, or face extended downtime, permanent data loss, and putting data subjects at increased risk of fraud.
About the Phoenix Art Museum
The Phoenix Art Museum is the largest visual art museum in the southwest United States with more than 18,000 works in total.
