By Charlie Cutler
Rarely does a day go by without a headline about data breaches. The victims we hear about include large financial institutions, international corporations, governmental agencies, Target, Home Depot, Sony, Citibank, NSA — the IRS and the list goes on.
That’s nothing a church would need to worry about, right?
I wish that were true.
In 2015, a sizable 3.4 percent of the 40,000 hacks made per day were against religious organizations. (See chart, below)
Data breaches are becoming increasingly problematic. As you might already know, a data breach occurs when sensitive information —such as banking information or intellectual property — is stolen digitally, using a computer. In addition to financial information, personal information is also often the target of these thieves. Names, social security numbers, addresses and phone numbers are all targets once a network has been hacked.
To put this in perspective, let’s take a look at an example of how a data breach could potentially affect your ministry. In 2013, a children’s Christian theater in Southern California was targeted by malicious individuals attempting to test stolen credit cards. It started out as a great story — the ministry was receiving unsolicited donations on its website. What a fantastic blessing! Many of the staff wondered who was behind this campaign that would help spread the Gospel through their faith-based theater.
Unfortunately, it soon became apparent that this wasn’t a benevolent viral campaign. In fact, it was someone testing stolen credit card numbers. Simply put, the bad guys would make a small donation using a stolen credit card number. If the charge went through, they would use that stolen number to rack up charges elsewhere. When the ministry learned what had happened, they were disappointed that the 947 donations were fraudulent.
But the real shock was when those 947 charges were reversed. The ministry was responsible for not one $30 reversal fee, but 947! The resulting $28,410 bill could have forced this 20-year-old ministry — which had touched so many lives — to close its doors. Fortunately, however, Cyber Liability was included in the ministry’s insurance policy. With just a few calls from the insurance company to the bank, the charges were reversed.
In the above scenario, the Christian theater was only part of a broader scheme. Victims of a financial data breach were having their stolen credit cards used in a fraudulent manner on the Christian theater’s website. As a result, the theater was on the hook for the financial cost of the transactions, whereas the owners of the credit cards were likely covered by their bank’s fraud protection practices.
Here are some other ways that ministries (just like yours) have been victims of cyber theft:
A church’s online giving system was hacked, and someone gained access to their user names and passwords. The first day, $17,000 was taken. Each day after, approximately $3,000 more was stolen, until the thefts were discovered by the ministry. The grand total stolen was $181,709.
A hacker was able to gain access to (and place malicious computer code on) a church’s shopping site. This allowed the hacker access to any new credit card information entered into the system. The church had to spend $15,000 to research the damage. In addition, it was required, by law, to offer its 1,800 customers professional ID protection.
A church bookkeeper received a message on her screen that she had been the victim of a computer breach. As a result, she was locked out of the system. The message prompted her to call an unknown phone number to restore access to the computer. She allowed access to the hackers and immediately saw social security numbers show up on the screen. At that point, she knew something was wrong. Experts were hired to monitor credit for those affected.
A church received a notice that its records were frozen and held for ransom. The church didn’t pay the ransom, lost access to the records (which were not physically backed up), and is now rebuilding all of its records from scratch.
An Australian-Syriac Catholic Church had its website hijacked by ISIS / ISIL. The terror group posted graphic images and videos of shootings and beheadings.
Hackers logged into the church’s network and stole students’ personal information. They then used the information to obtain credit cards, running up high balances by claiming to be the students.
Cyber risk isn’t just the risk of theft — it also extends to intellectual property issues, violation of privacy issues, and your online ministry.
In the next segment of this three-part series, we’ll discuss the steps that your church should be taking to prevent cyber theft and cyber liability.
Charlie Cutler is the Managing Partner of ChurchWest Insurance Services in Redlands, CA, an insurance agency that specializes in insuring churches. ChurchWest currently insures more than 3,000 faith-based organizations.