A Roman Catholic archdiocese in the US has been forced to admit that a third-party payroll database, containing roughly 18,000 records, was hacked – leaving names, addresses and social security numbers (SSNs) of all past and current employees at risk.
The Catholic Archdiocese of Denver has revealed that in November last year, it notified a "limited number" of employees about the breach. However, since that time, more staff members came forward claiming that fraudulent tax returns had been filed, in their names, using the compromised details.
According to The Denver Post, Keith Parsons, Chief Financial Officer (CFO) of the archdiocese, said that 'fewer than 50 individuals' reported that the Internal Revenue Service (IRS) had notified them that someone else had filed a tax return using the hijacked credentials. However he admitted: "There could be some who didn't report back to us. We have done a lot of investigating - and it is ongoing - and have found no additional breach other than that one."
In its breach notification letter sent to all potential victims, the church explained: "We believe that the incident occurred when an unknown person or persons was able to gain access into the archdiocese's payroll software system."
The system in question stores the sensitive data of not only employees, but also their dependants, spouses and beneficiaries and reportedly holds 18,000 records in total.
The letter continued: "If your family's information was stored in the archdiocese's payroll software system, we are assuming that their information could also have been disclosed. We don't yet know how that person was able to gain access but are investigating the issue.
"Your information is maintained in the system as an employee of the archdiocese. A limited number of employees were affected by the incident. However, because other employees have reported that fraudulent tax returns have been filed in their names, we have provided notice and identify protection and monitoring and, if necessary, identity repair assistance to all employees."
In light of this, the Denver-based church has brought in both the Colorado Bureau of Investigation and the FBI to investigate the incident, while also employing two former FBI agents who specialise in cybersecurity to conduct an in-depth analysis of the church's security systems.
Additionally, the archdiocese notified three credit monitoring firms - Equifax, Experian and TransUnion – of the ongoing incident and promised to provide assistance to all impacted employees. The incident only demonstrates further that in the world of cybercrime, no target is considered off-limits – whether it's the inside of a government data centre, the vault of a bank or, yes; even a church.