Skip links

Mormon Church IT ransacked, data stolen by ‘state-sponsored’ cyber-thieves

Miscreants broke into the Church of Jesus Christ of Latter-day Saints’ computer systems and stole personal data belonging to “some” members, employees, contractors and friends, the church has confirmed.

According to a church statement on the “data incident,” posted on its website today, the security breach happened in late March 2022. The breached systems contained LDS church members’ basic contact info, but did not include banking history or other financial information associated with donations, we’re told. 

Depending on what personal information church members and others provided when they were hired or created an account, includes data such as usernames, membership record numbers, full names, gender, email addresses, birth dates, mailing addresses, phone numbers and preferred languages, according to the statement.

Also according to the church, citing federal law enforcement authorities, the break-in was part of a large-scale, state-sponsored scheme targeting organizations and governments worldwide, but “not intended to cause harm to individuals.”

The Mormons, or LDS as thy prefer to be known, have been working with US authorities and third-party cybersecurity firms since discovering the digital break-in to determine its scope, how it happened, and to mitigate any impacts, the church added. “Law enforcement authorities believe the risk that the information will be used to harm individuals is low and our monitoring efforts have not identified any attempts of harmful use.”

As to why the seven-month delay in sharing information about the cybersecurity incident: blame it on the authorities, not the elders. 

“At the request of these law enforcement authorities, we have not shared information about the incident as they have conducted their investigation until October 12, 2022,” according to the LDS statement.

The church has since notified everyone who may have been affected, and pledged to work with law enforcement and infosec professionals to “further enhance the security” of its computer systems.

Meanwhile, in how not to write a security-incident-disclosure-press-release news, CommonSpirit Health — America’s second-largest nonprofit hospital network — finally admitted its mystery cyberattack was, in fact, a ransomware infection. 

It still hasn’t provided details about the scope of the attack or what data was stolen.

The admission, posted yesterday in an update on the org’s website, came more than a week after the intrusion shuttered electronic health record systems across some of its more than 1,000 medical facilities.

The digital outages have also reportedly hampered hospital staffs’ abilities to prescribe and administer medication to patients.

In at least one instance, a three-year old was accidentally administered a massive dose of painkillers twice the correct amount based on the child’s age and size. Luckily, the toddler spit out the meds. ®