Anglican Watch

Episcopal data breach gets little attention, while placing millions at risk

Episcopal church hacked

In the wake of serious data breaches in corporate America, laws in every US jurisdiction require notification when a data breach may result in the exposure of financial, health, or other sensitive personal information to hackers. But the recent massive disruptions to computer networks belonging to the Episcopal Church have gone largely unreported, even as the data breach places the data of millions at risk. Further, the denomination’s weasel-worded announcement on social media of “unauthorized activity on our network” is inadequate to alert dioceses, parishes, vendors, employees, retirees, members, former members, and government agencies that provide funding to the church to the underlying security and privacy risks caused by the breach.

The church’s lack of transparency and concern for those affected is unacceptable.

What happened

The breach of Episcopal data networks first became apparent last week when the denomination’s sprawling website went offline for several days.

Simultaneously, Episcopal News Service, the denomination’s media service, went down without explanation.

Initially, the church sat absolutely silent about the issue.

Eventually, a bland announcement appeared on Facebook late on April 28, confirming what already was obvious: the church’s website was down.

Meanwhile, reports trickled in from various persons across the church, indicating that phones, email, and other infrastructure across the church were down.

Finally, on April 30, after multiple inquiries from The Living Church and others, the church’s public affairs office issued a statement, saying:

Over the weekend, The Episcopal Church experienced a computer network disruption, and our IT staff and third-party consultants immediately began an investigation that revealed unauthorized activity within our network. Out of an abundance of caution, Episcopal Church IT staff and our third-party computer specialists have isolated the church’s network for further investigation. IT staff and outside consultants are working around the clock to understand this incident, its potential impact on information stored on our network, and to minimize service interruptions. Updates will be provided as they become available.

In other words, another overly lawyered and content-free communique from the church.

One update followed on April 30, which was from Episcopal News Service, and predicted that the news service website would be back online on May 1.

The church has provided no further updates.

This isn’t the Episcopal Church’s first major data breach

The Episcopal Church has had other major data security breaches.

In addition to the predictable phishing attempts, in which fraudsters claim to be clergy and ask members to send cash or gift cards, there were hundreds of “zoombombing” attacks during the pandemic. In the latter, malcontents invade an online Zoom meeting, posting obscenities, pornography, and images of violence and death.

Other data breaches have posed far greater threats to church member safety and security and include:

Nor do these breaches come without warning from elsewhere in the Anglican Communion. Breaches elsewhere include:

There’ve also been countless unreported parish-level data breaches. For example, in 2014, Grace Episcopal Alexandria left confidential parishioner financial information, unshredded, in an office trashcan. Additionally, a former vestry member and senior warden, Lisa Medley, published, without authorization, confidential member giving information on (Full disclosure: Anglican Watch editor Eric Bonetti is a former member of the parish.)

Then we come to the Episcopal Diocese of Haiti, where endemic corruption, the smuggling of munitions and cash by diocesan officials, the ongoing absence of a bishop diocesan, and the collapse of civil society all but guarantee problems with data security — not to mention financial controls.

In other words, data breaches happen with alarming frequency in the Episcopal Church. Yet the denomination’s response occupies the other end of the spectrum: Typically, the response is to either sit in splendid silence or say as little as possible, as late as possible.

Neither approach protects church members or engenders trust.

The risks of a data breach

The Episcopal Church faces an elevated risk profile when it comes to a data breach. These risks include:

  • The church’s extensive financial holdings, including over $400 million in trust assets, $11 billion in clergy retirement assets, and another $4.5 billion in locally held assets.
  • Hacker access to donor information, including name, address, gender, social security number, wire transfer information, and more.
  • Confidential internal information, including background reports of clergy candidates, psychological testing, financial reports, substance abuse evaluations, disciplinary complaints, and more.
  • Pastoral information, including sensitive information on mental health issues, substance abuse, mental health challenges, domestic violence, and more. As such, the church holds information far more intimate than the data retained by Google and other data miners.
  • Information relevant to federally funded programs, including assistance to migrants, food assistance, and housing assistance.
  • Attorney-client privileged information, including confidential discussions over litigation, equal employment opportunity and discrimination complaints, and more.
  • Data originating at executive council executive sessions.
  • Confidential email discussions among bishops, which often are more candid than is wise. (Holly Hollerith, here’s looking at you).
  • Details on senior government officials, including high-ranking members of the intelligence community and military officials. This is particularly an issue in parishes around the metro-DC area, which often have obsolete computer technology, inadequate/shared passwords, and ludicrously thin information security protocols.

Additionally, while the Church Pension Group, the denomination’s captive insurance carrier, is a legally distinct entity, breaching data systems belonging to church headquarters almost certainly provides access to passwords, two-factor authentication systems, encryption keys, and sensitive data that would allow bad actors to reset passwords remotely.

Moreover, hackers almost certainly deployed trojan horses and other backdoors into church systems, allowing them to bypass firewalls and other security measures at will. These peepholes place all future network activity at risk, including internet protocol-based telephony. Thus, all church infrastructure users are at heightened risk of future security issues.

What we’d like to see

In this area, as in all others, we would like to see the Episcopal Church lead by example. In other words, the denomination should be setting an example for corporate America, versus the other way around.

Leading by example starts with disclosure. Specifically, we need to know:

  • What happened.
  • Who was responsible.
  • When the hack actually happened (versus was detected),
  •  What the church is doing to address this breach.
  • What personally identifiable information (PII) the hacker(s) accessed.
  • What the church is doing to protect those hurt by the breach.

Indeed, the church’s communique on these issues notably omits any reference to law enforcement, despite the fact that a hack of church systems is per se criminal on both the state and federal levels. This omission is inherently problematic and suggests that the church is trying to avoid outside scrutiny and potential legal liability. Either that or the church doesn’t recognize the profound risks and notification requirements associated with data breaches.

We’d also like to see something more than bland assurances that church officials and IT consultants are looking into the matter and acting “out of an abundance of caution.”

While the former may be true, all signs suggest that the church is reverting to type and trying the whole “nothing to see here, move along,” routine. While we neither need nor want detailed specifics, we need far more information than what the hierarchy has provided to date.

Specifically, what measures is the church taking to protect against future hacks? How do those with church pensions (this author included) know that funds won’t miraculously disappear?

And before readers say, “Well, that will never happen,” our sisters and brothers in the African Methodist Episcopal Church are embroiled in lawsuits over that very issue.

Nor does the Episcopal Church have a positive track record when it comes to internal controls. Whether it’s the embezzlement of former national treasurer Ellen Cooke and the questions about her husband’s potential role, the hack of the Episcopal Diocese of Virginia, or the schizophrenic approach of the church hierarchy to clergy misconduct (which it ignores) versus local property litigation (where it jumps right in), the inner workings of the church are dangerously dysfunctional.

And before we go further, yes, clergy misconduct is an internal control. Specifically, when the church loses mission integrity, it loses credibility. That’s true whether the breakdown involves money, data, or abuse. If the episcopacy cannot protect the integrity of the church, it has no meaningful role.

As to data protection, we recognize there’s no guarantee against future data breaches. But any well-run organization has contingency plans that include this risk, and the church’s flat-footed, over-lawyered non-response suggests it had no plans in place to address a data breach crisis. Moreover, the church clearly doesn’t understand the underlying issue — it’s worried about legal liability while ignoring reputational and relational damage.

Budgetary implications

This paradigm involving the need to protect the mission of the church from multiple risks also touches on the requests by several dioceses to reduce assessments to the national church.

Right now, the Episcopal Church has layers and layers of governance. Starting on the parish level, the church comprises literally thousands of committees, commissions, boards, and, of course, the wildly bloated general convention.

But governance is not the same as leadership, and time after time we see so-called church leaders ignore problems, send issues to committees to die, shrug off church canons, and otherwise engage in nonfeasance. Indeed, Holly Hollerith’s written statement that he will not touch child rape with a “thousand-foot pole” is more norm than exception.

In other words, it is difficult for the average person in the pew to justify the money the church spends on overhead.

That’s not because people resent missional activity — it’s because the church expends so much on overhead and so little on actual mission.

Even worse, the massive expenditures on overhead almost never produce meaningful results.

Again, the church is so morally bankrupt that it even ignores child rape, all in the name of protecting the hierarchy. That evinces a narcissistic organization that does not care what members think, want, or need.

In closing

In closing, hope springs eternal.

We hope that church officials will take the Episcopal data breach seriously and see it as an opportunity for transparency, accountability, and meaningful reform.

Will this happen? Not bloody likely.

But the more church members demand accountability, including insisting that the church act as a conscientious steward of the resources we entrust to it, the more likely it is that the church will take these matters seriously.

The alternative is dire; if the church does not clean up its act, it will die.

Simple as that.

Leave a Reply

Your email address will not be published. Required fields are marked *

Exit mobile version