A cyberattack breached some Latter-day Saint member data. Here’s what we know

SALT LAKE CITY – A suspected state-sponsored cyberattack on The Church of Jesus Christ of Latter-day Saints in March successfully obtained the personal data of some church members, employees and contractors, but law enforcement authorities believe the risk to individuals is low, the church said in a release Thursday.

The breach did not include banking information or donation history, the church said.

The church is notifying those affected by email ksl.com reported. It also is providing phone numbers people can call with questions about the breach. (See below.)

“We have no indication that any of your personal data has been misused or published,” according to the church release. “We recommend that you remain vigilant about the security of your personal data by monitoring your personal accounts, frequently changing passwords, selecting strong and different passwords for every account and taking action on any suspicious activity. You should promptly report to law enforcement authorities any fraudulent activity, scam or identity theft.”

The breach occurred on March 23, but federal investigators asked the church not to release information about the cyber assault while their investigation was underway. Law enforcement authorities lifted that request Wednesday, the release said.

Rod Buhler is a cyber security professor at Salt Lake Community College, he said he’s not surprised the FBI asked the Church to keep the breach confidential until now.

“After the robber takes your stuff you’d like to follow them for a little bit to figure out who they are.
And in our world that’s a little bit of time to be able to follow the pathways to where they are,” he said.

“U.S federal law enforcement authorities suspect that this intrusion was part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals,” the church statement said.

Buhler said it’s a narrow list of suspects, “Russia, China, state-sponsored, you know the bad actors in the world.”

The stolen data included personal information that church members or employees provided to the church, including basic contact information such as a person’s username in the system, membership record number, full name, gender, email address, birthdate, mailing address, phone number, and preferred language, the release said.

Buhler said to be on alert for any suspicious emails or phone calls from anyone claiming association with the Church.

“They have all our information, now they’re just syncing that information up so they can figure out a way to get you. If they can call up and say they’re a member of the church maybe you’ll listen to them a little bit more, or contact you with an email that looks like it comes from the church,” he said.

He also recommended changing the password on your church account, and if it’s the same password you use for any other accounts change those too.

The church’s statement came amid frequent headlines about cyber attacks, including state-sponsored cyber assaults.

On Monday, an attacker within the Russian Federation attacked some of the largest U.S. airports, ABC News reported.

On Thursday, a cyberattack forced the closure of an Australian insurer, which took its systems offline and halted trading on its shares. Attackers breached the data of 10 million customers of an Australian bank late last month, Reuters reported.

The city of Tucson, Arizona, recently reported a May attack that compromised the information of 123,500 people. The city worked with forensic experts to investigate the incident. The city reported the attack this fall after the investigation ended, according to SecurityAffairs.co.

“We take protecting the personal data entrusted to us seriously and are taking every action to keep your information safe,” the church said. “We have been working with external forensic experts, U.S. federal law enforcement and other cybersecurity professionals to investigate the incident and further enhance the security of church systems.”

The church’s full statement follows:

Statement and FAQ on church account data incident

In late March 2022, The Church of Jesus Christ of Latter-day Saints detected unauthorized activity in certain computer systems that affected personal data of some church members, employees, contractors, and friends. The affected data did not include donation history or any banking information associated with online donations.

Since that time, we have been working with U.S. federal law enforcement authorities and third-party cybersecurity experts to establish the origin, nature, and scope of this incident and to mitigate possible impacts. Law enforcement authorities believe the risk that the information will be used to harm individuals is low and our monitoring efforts have not identified any attempts of harmful use.

At the request of these law enforcement authorities, we have not shared information about the incident as they have conducted their investigation until Oct. 12, 2022.

We are now notifying those who may have been impacted, even where this is not legally required. Anyone with questions about the security of their information can learn more by referencing the frequently asked questions below.

Protecting the confidential information of our members, employees, contractors, and friends is critical. We continue to do all we can to ensure such information is safeguarded.

FAQ

1. What happened?

On March 23, 2022, The Church of Jesus Christ of Latter-day Saints, a Utah corporation sole (CHC) detected unauthorized access to certain computer systems. We immediately notified federal law enforcement authorities in the United States and were asked to keep the incident confidential to protect the integrity of the investigation. This instruction was lifted on Oct. 12, 2022, and we notified affected individuals. U.S federal law enforcement authorities suspect that this intrusion was part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals.

2. What personal information was affected?

The breached systems contain personal data, including basic contact information, of members of The Church of Jesus Christ of Latter-day Saints. The data accessed may include, if you provided it, your username, membership record number, full name, gender, email address(es), birthdate, mailing address, phone number(s), and preferred language. The affected data did not include donation history, or any banking information associated with online donations.

3. Who can I talk to about this?

If you have further questions or concerns, please call:

Engagement Number: B058764

In the United States

English toll-free number: 1-833-559-0435

Spanish toll-free number: 1-833-559-0612

Monday–Friday, 7:00 a.m.–9:00 p.m. Mountain Time (MT); Saturday and Sunday, 9:00 a.m.–6:00 p.m. (MT), excluding major U.S. holidays.

Outside the United States

Outside the United States: toll +1 (346) 278-3020, Monday through Friday, 7:00 a.m.–9:00 p.m. Mountain Time (MT); Saturday and Sunday, 9:00 a.m.–6:00 p.m. MT (excluding major U.S. holidays).

United Kingdom English toll-free number: +44 (0800) 408 1788, Monday through Friday, 8:00 a.m.–6:00 p.m. (BT); Saturday and Sunday, 8:00 a.m.–5:00 p.m. (BT)

Philippines English toll-free number: +63-1800-13120083, Monday through Friday, 8:00 a.m.–6:00 p.m. (BT); Saturday and Sunday, 8:00 a.m.–5:00 p.m. (BT)

Australia English toll-free number: +61 (1800) 434165, Monday through Friday, 8:00 a.m.–6:00 p.m. (BT); Saturday and Sunday, 8:00 a.m.–5:00 p.m. (BT)

New Zealand English toll-free number: +64 800-445108, Monday through Friday, 8:00 a.m.–6:00 p.m. (BT); Saturday and Sunday, 8:00 a.m.–5:00 p.m. (BT)

Portuguese toll-free number: +55-0800-450-0035, Monday through Friday, 8:00 a.m.–6:00 p.m. (BT); Saturday and Sunday, 8:00 a.m.–5:00 p.m. (BT)

German toll-free number: +49 (0800) 673 8190, Monday through Friday, 7:00 a.m.–5:00 p.m. (BT); Saturday and Sunday, 7:00 a.m.–4:00 p.m. (BT)

French toll-free number: +33 080 510 9939, Monday through Friday, 7:00 a.m.–5:00 p.m. (BT); Saturday and Sunday, 7:00 a.m.–4:00 p.m. (BT)

4. What is the church doing to prevent this from happening again?

We take protecting the personal data entrusted to us seriously and are taking every action to keep your information safe. We have been working with external forensic experts, U.S. federal law enforcement, and other cybersecurity professionals to investigate the incident and further enhance the security of church systems.

5. What steps do I need to take?

We have no indication that any of your personal data has been misused or published. We recommend that you remain vigilant about the security of your personal data by monitoring your personal accounts, frequently changing passwords, selecting strong and different passwords for every account, and taking action on any suspicious activity. You should promptly report to law enforcement authorities any fraudulent activity, scam, or identity theft.

6. Why did the church have my data?

The personal data involved was the result of the creation of an online church account or the result of employment with the church.

7. Did you report this to a data regulator or data protection authority?

We have notified relevant data protection authorities.

8. How can I find out if my personal data was involved?

If you did not receive a notification email, it is unlikely your personal data was involved.

9. Why did it take so long to notify me?

The church was coordinating with law enforcement authorities and was asked to keep the incident confidential to protect the integrity of the investigation. This instruction was lifted on Oct. 12, 2022.