Church data breached in cyber attack


Ironhold
 Share

Recommended Posts

https://www.ksl.com/article/50494845/a-cyber-attack-breached-some-latter-day-saint-member-data-heres-what-we-know

Back in March an unknown entity - likely a state - sponsored or state - sanctioned organization - breached some of the church's systems. Law enforcement asked the church to remain silent about the matter while the investigation was ongoing, but the church has now released a statement and has begun contacting affected individuals by e-mail. 

Hate to say it, but Russia came to mind given the hyper-nationalistic effort to force non-"Russian" religious groups out of the country.

Link to comment
Share on other sites

Yeppers.   Got this the other day (bolding mine):

Quote

Dear Account Holder:
The Church of Jesus Christ of Latter-day Saints, a Utah corporation sole (“CHC”), detected an unauthorized network intrusion that affected personal data you previously provided. At this time, there is no evidence that any of your financial information has been impacted and there is no indication that the data has been or is likely to be used for fraudulent or other harmful purposes. We are notifying you and others worldwide whose data may have been affected, even where this is not legally required.

What Happened?
On March 23, 2022, we detected unauthorized access to certain computer systems. We immediately notified federal law enforcement authorities in the United States. We were asked to keep the incident confidential to protect the integrity of the investigation. This instruction was lifted on October 12, 2022.
Who Committed this Intrusion?
CHC cannot determine the identity of the unauthorized person who may have accessed or acquired your personal data. U.S. federal law enforcement authorities suspect that this intrusion was part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals. The forensic investigators who assisted CHC in investigating the security breach have not detected any further unauthorized access or activity since April 3, 2022.

What Information Was Affected?
The breached CHC systems contain personal data, including basic contact information, of members of The Church of Jesus Christ of Latter-day Saints. The data accessed may include, if you provided it, your username, membership record number, full name, gender, email address(es), birthdate, mailing address, phone number(s), and preferred language.

What Are We Doing?
We have been working with external forensic experts, U.S. federal law enforcement authorities, and other cybersecurity professionals to investigate the incident and further enhance the security of CHC’s systems. We also have notified data protection authorities, including, for example, the supervisory authority in Germany, where CHC’s representative under Art. 27 GDPR is based.

What Can You Do?
We have no indication that any of your personal data has been misused or published. We recommend that you remain vigilant about the security of your personal data by monitoring your personal accounts, frequently changing passwords, selecting strong and different passwords for every account, and taking action on any suspicious activity. You should promptly report to law enforcement authorities any fraudulent activity, scam, or identity theft.

For More Information
If you have further questions or concerns, please call:
•    In the United States: toll-free (833) 559-0435, Monday through Friday, 7:00 a.m.–9:00 p.m. Mountain Time (MT); Saturday and Sunday, 9:00 a.m.–6:00 p.m. MT (excluding major U.S. holidays).
•    Outside the United States: toll +1 (346) 278-3020, Monday through Friday, 7:00 a.m.–9:00 p.m. Mountain Time (MT); Saturday and Sunday, 9:00 a.m.–6:00 p.m. MT (excluding major U.S. holidays).
o    United Kingdom English toll-free number: +44 (0800) 408 1788, Monday through Friday, 8:00 a.m.–6:00 p.m. (BT); Saturday and Sunday, 8:00 a.m.–5:00 p.m. (BT)
o    Brazil English toll-free number: +55-0800-450-0035, Monday through Friday, 8:00 a.m.–6:00 p.m. (BT); Saturday and Sunday, 8:00 a.m.–5:00 p.m. (BT)
o    Philippines English toll-free number: +63-1800-13120083, Monday through Friday, 8:00 a.m.–6:00 p.m. (BT); Saturday and Sunday, 8:00 a.m.–5:00 p.m. (BT)
o    Australia English toll-free number: +61 (1800) 434165, Monday through Friday, 8:00 a.m.–6:00 p.m. (BT); Saturday and Sunday, 8:00 a.m.–5:00 p.m. (BT)
o    New Zealand English toll-free number: +64 800-445108, Monday through Friday, 8:00 a.m.–6:00 p.m. (BT); Saturday and Sunday, 8:00 a.m.–5:00 p.m. (BT)
CHC has contracted Experian, an industry leader in data security response, to receive these calls. Be prepared to provide your engagement number: B058762.

We take protecting the personal data entrusted to us seriously and are taking every action to keep your information safe. We regret any inconvenience or concern this incident may have caused.

Sincerely,

Data Privacy Office
The Church of Jesus Christ of Latter-day Saints, a Utah corporation sole

 

For the last 7-8 years, I've received at least one of these a year from somewhere.  My credit card or bank, social media platform, various businesses, and now my church.

This is the reality people.  It's important to know this stuff in the 2020's.  The church gives good advice we should all be following, with or without evidence of any particular breach.

Link to comment
Share on other sites

This is why I WISH the church would allow members to do what they HAVE to allow in Europe.  We should have a right to our privacy and restricting information that is online. 

I've not been impressed with the Church's technology stance or security from what I've seen.  From what I understand, they pay under the going rate, when in truth they probably should trying to attract the top talent to secure their information. 

However, what I REALLY wish is that they had an opt out clause which would make it so NONE of our information is online if we so desire it not to be online. 

That may be just because I'm an old fogey and I don't trust any of this stuff online these days, but I see to many people get their information stolen in that manner.  The Church is the ONLY group that has as much of my personal information stored on a public website (even the university allows us more privacy than the Church, it has my name, office phone and office information as well as hours and classes, but the personal stuff is kept off the main sites as per my request).  It's made me uncomfortable about it ever since I had someone come over to me and say happy birthday and my age at church without me ever even consenting to have them get that information.  That made me feel uncomfortable. 

Link to comment
Share on other sites

8 hours ago, JohnsonJones said:

However, what I REALLY wish is that they had an opt out clause which would make it so NONE of our information is online if we so desire it not to be online. 

I get it, I really do.  But it simply hasn't been possible for just about anything, for about a decade or more.  If you have a smartphone or bank account, if you own land, have a mortgage, or a job, have ever been to a doctor or hospital, if you get social security, then your stuff is online. All of these places have public websites, and policies/procedures/firewalls/HighHopes in place to protect your information. 

Folks wishing to have zero digital footprint can catch a cruise to a foreign land with a suitcase of cash, and just not take the return trip.  But it better not be a foreign land with things like traffic signals and electricity, because that means there'll be traffic cameras.  You don't get to take your phone or computer.

Anyway, go here: http://www.churchofjesuschrist.org/DataPrivacy and read up a bit.  I think you'll be comfortably surprised.  Especially with this part:

Quote
I want to change my privacy settings

If you have a Church Account, you may change or update your privacy settings through the Directory or through the Member Tools mobile application.

On ChurchofJesusChrist.org: Select Ward Directory and Map, then select your household, and then your name. Click on the Edit icon (blue pencil) to view or update your privacy settings.

In the Member Tools mobile application: select your household and then your name. Then select Edit to view or update your privacy settings.

You can chose who you want to be able to view your phone and email.  The only people who can see your account, besides church HQ, will be people in your stake with their own accounts.   That's sort of the unstated data profile to which you agree upon baptism.  We're supposed to bear one another's burdens that they might be light, and this makes sure we can find each other. 

 

 

Edited by NeuroTypical
Link to comment
Share on other sites

14 hours ago, NeuroTypical said:

I get it, I really do.  But it simply hasn't been possible for just about anything, for about a decade or more.  If you have a smartphone or bank account, if you own land, have a mortgage, or a job, have ever been to a doctor or hospital, if you get social security, then your stuff is online. All of these places have public websites, and policies/procedures/firewalls/HighHopes in place to protect your information. 

Folks wishing to have zero digital footprint can catch a cruise to a foreign land with a suitcase of cash, and just not take the return trip.  But it better not be a foreign land with things like traffic signals and electricity, because that means there'll be traffic cameras.  You don't get to take your phone or computer.

Anyway, go here: http://www.churchofjesuschrist.org/DataPrivacy and read up a bit.  I think you'll be comfortably surprised.  Especially with this part:

You can chose who you want to be able to view your phone and email.  The only people who can see your account, besides church HQ, will be people in your stake with their own accounts.   That's sort of the unstated data profile to which you agree upon baptism.  We're supposed to bear one another's burdens that they might be light, and this makes sure we can find each other. 

 

 

 

I'm pretty sure I didn't agree on that data profile when I was baptized...I don't think computers were even much of a thing back then, much less the internet. 

I don't do any banking online, I do it all in person.  I own most of my stuff, and when I buy vehicles I pay cash.  I pay taxes (obviously) but do it in person.  I request everything to be made private (if I can). 

Obviously I'm not perfect and I do have an online presence (for example, I'm on these forums) so my security is not the tightest or best, and it would be easy to probably locate me and at least get a broad picture of myself and my background) so I'm not extremely secure in my internet security.  I know I'm a novice in these things and areas. 

That said, many of the companies are paying a much HIGHER wage than what I hear the church is paying, meaning that the experts are going to be more likely to go to them (other companies or agencies) than a lower paying job.  This also means that they get the better expertise and higher investment into security than the Church has going for it. 

If the church offered double the going rate of elsewhere and looked for the best expertise no matter what an individual's church involvement was (just how trustworthy they are from their work history [well researched in this instance] and other checks), and focused more on getting the BEST talent out there anywhere, I think I'd have more trust in the church's computer system security than I presently do.

 

 

 

Link to comment
Share on other sites

6 hours ago, JohnsonJones said:

If the church offered double the going rate of elsewhere and looked for the best expertise no matter what an individual's church involvement was (just how trustworthy they are from their work history [well researched in this instance] and other checks), and focused more on getting the BEST talent out there anywhere, I think I'd have more trust in the church's computer system security than I presently do.

This is a lot of assumptions here. Offering less doesn't always mean you will not get the Best talent. There are a lot of people who apply for jobs that open with the Church due to Church stability, especially in the tech field.

If someone came up to you in Church and said, happy birthday, they could have been notified by someone else who knows it was your birthday. You are making the assumption it was through the Church online. The average lay member doesn't have access to private information like that. If they have it, it is because they are in a position that allows them to view birthdays. I use to be able to view the birthday of my home teaching/ministering families. I am unable to do so anymore. So, if I know there birthday it is because I have asked them, or asked someone who knows the family more than I do (especially if it is a family that never opens the door).

Let me provide you perspective with the Church's talent and position in the tech field. When I applied for the Church I was applying for a tech II position. As I interviewed, a tech II position in the Church is more like a tech III position anywhere else. They have enough pull, and engineers applying that people are willing to take a lesser pay for the security and a good atmosphere to work in. Needless to say, at that time I wasn't even seen as a candidate for the position but anywhere else I was.

EDIT: Also, if you have given your number, year of birth, etc... (what we call private information), if you are part of any social media platform and do not click the button (if available) "Do not sell my personal information" -- understand all these platforms are selling your private information to third parties (especially if they are affiliated with any other group). I doubt, but could be wrong (as I don't know the ins and outs of this with the Church), but I doubt they are selling our personal information to third parties.

Edited by Anddenex
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share