Explanation and Frequently Asked Questions about the Church Accounts Data Incident
In late March 2022, The Church of Jesus Christ of Latter-day Saints discovered unauthorized activity on certain computer systems involving personally identifiable information of some members, employees, contractors, and friends of the church. The affected data did not include donation history or banking information related to online donations.
Since then, we have been working with US federal law enforcement agencies and outside cybersecurity experts to determine the origin, nature and scope of this incident and to mitigate any potential impact. Law enforcement authorities believe that the risk of the information being used to harm individuals is low, and our monitoring efforts have not identified any attempts at harmful use.
At the request of these law enforcement agencies, we have not shared any information about the incident as they conducted their investigation up to October 12, 2022.
We are now notifying those who may be affected, even if the law doesn’t require it. Anyone who has questions about the security of their information can learn more by referring to the FAQs below.
Protecting the confidential information of our members, employees, contractors and friends is vital. We continue to do everything we can to ensure that this information is protected.
- What happened?
- Which personal data was affected?
- Who can I talk to about this?
- What is the church doing to prevent something like this from happening again?
- What steps do I need to take?
- Why did the church have my information?
- Have you reported this to a data regulator or data protection authority?
- How can I find out if my personal information is affected?
- Why did it take so long to notify me?
1. What happened?
On March 23, 2022, the Church of Jesus Christ of Latter-day Saints, a Utah Corporation Sole (CHC), discovered unauthorized access to certain computer systems. We immediately notified federal law enforcement agencies in the United States and have been asked to keep the incident confidential to protect the integrity of the investigation. This order was lifted on October 12, 2022 and we have notified affected individuals. US federal law enforcement agencies suspect that this intrusion was part of a pattern of state-sponsored cyberattacks targeting organizations and governments around the world and not intended to harm individuals.
2. Which personal data was affected?
The compromised systems contain personally identifiable information, including basic contact information, of members of The Church of Jesus Christ of Latter-day Saints. The information accessed may include, if you have provided it, your username, membership record number, full name, gender, email address(es), date of birth, postal address, telephone number(s). ) and your preferred language. The affected data did not Contain donation history or banking information related to online donations.
3. Who can I talk to about this?
If you have additional questions or concerns, please contact us at: www.ChurchofJesusChrist.org/DataPrivacy.
4. What is the Church doing to prevent this from happening again?
We take the protection of the personal data entrusted to us seriously and take all measures to keep your data safe. We have worked with outside forensic experts, US law enforcement agencies, and other cybersecurity professionals to investigate the incident and continue to improve the security of Church systems.
5. What steps do I need to take?
We have no indication that your personal data has been misused or made public. We encourage you to stay vigilant about the security of your personal information by monitoring your personal accounts, changing passwords frequently, choosing strong and different passwords for each account, and taking action on suspicious activity. You should immediately report any fraudulent activity, fraud or identity theft to law enforcement authorities.
6. Why did the church have my information?
The personal data concerned is the result of creating an online church account or the result of employment with the church.
7. Have you reported this to a data regulator or data protection authority?
We have notified the relevant data protection authorities.
8. How can I find out if my personal data is affected?
If you did not receive a notification email, it is unlikely that your personal information was affected.
9. Why did it take so long to notify me?
The church coordinated with law enforcement and was asked to keep the incident confidential to protect the integrity of the investigation. This order was lifted on October 12, 2022.