The Children’s Council of San Francisco this week confirmed it notified 12,655 people of an August 2025 data breach that compromised names and Social Security numbers.
The breach occurred on August 3, 2025, according to the notices sent to breach victims by the Council. The notice does not specify whether the compromised data belonged to children.
Two weeks later, a cybercriminal group called SafePay took credit for the breach on its data leak website. The ransomware outfit demanded a ransom payment within 24 hours to delete the stolen data.
The Children’s Council of San Francisco has not acknowledged SafePay’s claim, and Comparitech cannot independently verify it. We do not know if the Council paid a ransom, how much SafePay demanded, or how attackers breached the Council’s network. Comparitech contacted the Council for comment and will update this article if it replies.
“On August 3, 2025, ChCo experienced a network disruption,” says the Council’s notice to breach victims. “The investigation determined that an unknown actor accessed and acquired certain data without authorization.”
The Children’s Council is offering breach victims 12 months of free credit monitoring and $1 million in identity theft insurance through TransUnion. The deadline to enroll is 90 days from the date on the notice letter.
Who is SafePay?
SafePay is a ransomware gang that started listing the organizations it hacks on its data leak site in November 2024. The group uses LockBit-based ransomware. It employs a double-extortion scheme in which a ransom is demanded to restore systems and to delete stolen data.
In 2025, SafePay claimed responsibility for 374 ransomware attacks. 46 of the organizations it targeted confirmed those attacks and notified 17 million people of the resulting data breaches. The largest of those was SafePay’s breach of Conduent Business Services, which notified 16.7 million people.
The group remains active in 2026. It’s taken credit for 16 more attacks so far, with one confirmed. Another social services organization, Franze Sales Hause in Germany, says it refused to meet SafePay’s six-figure demand.
Ransomware attacks in the USA
Comparitech researchers logged 653 confirmed ransomware attacks on US organizations in 2025. They compromised about 43.3 million personal records in total.
Several of those attacks hit non-profits and social service organizations like the Children’s Council of San Francisco:
- Bucks County Opportunity Council (PA) reported an August 2025 breach claimed by Money Message
- Catholic Charities of the Diocese of Albany (NY) reported a March 2025 data breach claimed by Inc
- North American Family Institute (MA) reported a September 2025 data breach claimed by Qilin
- Elmcrest Children’s Center (NY) reported a March 2025 data breach claimed by Interlock
- Family & Community Services (OH) reported a May 2025 data breach claimed by Qilin
In 2026 to date, we’ve confirmed 21 more ransomware attacks and are monitoring another 700 attack claims made this year.
About the Children’s Council of San Francisco
The Children’s Council of San Francisco is a nonprofit contractor of the State of Californita Department of Social Services, San Francisco City, and San Francisco County. It stewards public dollars to childcare and early education providers serving infants and children up to age 13, helps families find and finance childcare, and administers an annual budget of almost $250 million, according to its website.
