It was bound to happen.
Earlier today, the Episcopal Diocese of Virginia announced that the Trustees of the Funds (TOTF) experienced a major cyber attack. The TOTF holds investment funds for the Diocese, numerous parishes, and related organizations.
As a result of the hack, two parishes lost investment funds. While the Diocese has not disclosed the amount of the loss, the amount is substantial. Insurance will cover most of the loss.
In response, the Diocese announced a review of IT security at the TOTF, diocesan offices, and related organizations. In addition, the Diocese encouraged parishes and other constituent organizations to review their IT security measures and committed to full transparency about the breach.
First, let’s call a spade a spade. The only surprise is that it took so long for this to happen. Until recently, the Diocese didn’t know what assets it had in its portfolio. Nor could it identify specific requirements for restricted funds. Thus, the Diocese lacks even rudimentary internal controls, which makes it an attractive target for all kinds of misconduct. That includes both internal and external actors.
Second, until now, the Diocese and constituent parishes have had almost no concept of IT security. That includes:
- Woefully outdated IT hardware.
- Easily guessed passwords.
- No investment in basic data security.
- Utter indifference to the issue.
- Failure to use U2F, encryption, or other basic security measures.
So, yet again, the only surprise in all of this is that it took this long, and that the damage was relatively minimal.
Third, we should look at the Diocesan’s stated goal of building trust through transparency. This from an entity that flatly refuses to follow church canons. It doesn’t publish financials, release audits, or provide specifics of its finances. Indeed Bishop Lee’s compensation only came to light during the property recovery litigation. Nor does it comply with safe church requirements enacted by General Conference. So building trust is a worthy goal, but the Diocese has enormous work to do in these areas.
Even worse, in the past, the Diocese has falsely stated that everything is going great. This sort of fabrication makes it difficult for members to assume that statements made by leaders are trustworthy. Once bitten, twice shy. So it will be an arduous process for the Diocese to earn trust.
Even now, as the Episcopal Church moves into what appears to be its final years, it controls significant assets. So let’s hope today’s news leads the denomination to improve overall governance and IT security. As things stand, safeguards against this sort of thing are woefully inadequate.