Phoenix Art Museum Data Breach Exposes Social Security numbers

Phoenix Art Museum, the largest art museum in the southwestern United States, disclosed a data breach involving unauthorized access to its computer network.

The breach was disclosed to the Maine Attorney General on April 15, 2026, with two Maine residents identified as affected.

Phoenix Art Museum determined that personal information had been exposed on March 20, 2026, and began notifying affected individuals on April 15, 2026, via written letters sent by first-class mail.

What happened in the Phoenix Art Museum data breach

The museum first identified unauthorized access to certain systems within its network on Dec. 8, 2025. An investigation was launched, determining that the actual unauthorized access to files had occurred earlier, on Dec. 3, 2025.

On Feb. 12, 2026, a ransomware group known as Rhysida claimed responsibility for the attack on the Tor network. The group stated that it had obtained the museum's data and intended to publish the stolen information within six to seven days.

The museum continued its investigation and reviewed the files that had been accessed during the breach. On March 20, 2026, that review determined that one or more of the accessed files contained personal information belonging to certain individuals.

The types of personally identifiable information exposed in this breach included names and Social Security numbers.

Phoenix Art Museum's response to the breach

Phoenix Art Museum is offering affected individuals a complimentary one-year membership to credit monitoring and identity protection services through Epiq Privacy Solutions ID. The service includes three-bureau credit monitoring through Equifax, Experian and TransUnion, as well as annual three-bureau credit report and score access.

Additional features include Social Security number monitoring, dark web monitoring, lost wallet assistance, identity restoration services and up to $1 million in identity theft insurance with a $0 deductible.

The service also provides up to $1 million in unauthorized electronic funds transfer reimbursement. Affected individuals can enroll by visiting Epiq Privacy Solutions ID and entering the activation code from their notification letter.

For questions about the incident, affected individuals can call the museum's dedicated response line at 844-558-4691, available Monday through Friday from 9 a.m. to 9 p.m. Eastern Time, excluding U.S. holidays.

Those who need help with the enrollment process can contact Epiq directly at 866-675-2006. The museum itself can also be reached at 602-257-1880.

Steps to take if your information was exposed

• Place a credit freeze with all three credit bureaus. Because Social Security numbers were exposed, a credit freeze is one of the strongest protections against someone opening fraudulent new accounts. Contact Equifax at 1-888-298-0045, Experian at 1-888-397-3742 and TransUnion at 1-800-916-8800.
• Consider placing a fraud alert on credit files. Contact any one of the three nationwide credit bureaus to place an initial one-year fraud alert, and that bureau is required to notify the other two.
• Request free credit reports at AnnualCreditReport.com. Review them carefully for any unfamiliar accounts, inquiries or other suspicious activity.
• Watch for phishing attempts that reference Phoenix Art Museum or this data breach by name, as scammers often use real breach notifications to trick people into sharing additional personal information.
• Report suspected identity theft to the Federal Trade Commission at IdentityTheft.gov or by calling 1-877-438-4338.