Mormon Church reveals data breach seven months after incident transpired

The Mormon Church's Salt Lake Temple in Temple Square, Utah
(Image credit: Getty Images)

The Church of Jesus Christ of Latter-day Saints revealed yesterday that it was the target of a cyber attack in March 2022 that led to the theft of personal data.

The church, also known as the Mormon Church, said it had detected unauthorised activity on 23 March in certain computer systems that impacted the personal data of some of its members, employees, contractors, and friends.


Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities


The personal data involved in the breach was related to those who either had registered online accounts with the church or had their personal information stored by the organisation because they were employed by it.

This included usernames, membership record numbers, full names, gender, email addresses, birthdates, mailing addresses, phone numbers, and preferred language. The affected data didn’t include the donation history or any banking information associated with online donations, it said.

“We immediately notified federal law enforcement authorities in the United States and were asked to keep the incident confidential to protect the integrity of the investigation,” said the church. “This instruction was lifted on 12 October 2022, and we notified affected individuals.”

It added that US federal law enforcement authorities suspect that the intrusion was part of a pattern of state-sponsored cyber attacks aimed at organisations and governments around the world that are not intended to cause harm to individuals.

Since the breach was discovered, the church said it has been working with US federal law enforcement authorities and third-party cyber security experts to establish the origin, nature, and scope of this incident, and to mitigate possible ramifications.

The church added that law enforcement authorities believe that the risk of the stolen information being used to harm individuals is low. The monitoring efforts from the authorities haven’t identified any attempts of harmful use either.

“Protecting the confidential information of our members, employees, contractors, and friends is critical,” the church added. “We continue to do all we can to ensure such information is safeguarded.”

It advised those who have been affected to remain vigilant about the security of their personal data by monitoring personal accounts, frequently changing passwords, selecting strong and different passwords for every account, and taking action on any suspicious activity.

“This breach against the Church of Jesus Christ of Latter-day Saints highlights that no organisation is immune to cyber attacks,” said Julia O’Toole, CEO at MyCena Security Solutions, to IT Pro.

“While it’s positive that no financial information was compromised, the data stolen can still be used to perform phishing attacks and be sold on the dark web to build profiles on the victims and tie it to other pieces of data linked to them that is already available.”

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.