In late March 2022, The Church of Jesus Christ of Latter-day Saints detected unauthorized activity in certain computer systems that affected personal data of some Church members, employees, contractors, and friends. The affected data did not include donation history or any banking information associated with online donations.
Since that time, we have been working with U.S. federal law enforcement authorities and third-party cybersecurity experts to establish the origin, nature, and scope of this incident and to mitigate possible impacts. Law enforcement authorities believe the risk that the information will be used to harm individuals is low and our monitoring efforts have not identified any attempts of harmful use.
At the request of these law enforcement authorities, we have not shared information about the incident as they have conducted their investigation until October 12, 2022.
We are now notifying those who may have been impacted, even where this is not legally required. Anyone with questions about the security of their information can learn more by referencing the frequently asked questions below.
Protecting the confidential information of our members, employees, contractors, and friends is critical. We continue to do all we can to ensure such information is safeguarded.
FAQ
- What happened?
- What personal information was affected?
- Who can I talk to about this?
- What is the Church doing to prevent this from happening again?
- What steps do I need to take?
- Why did the Church have my data?
- Did you report this to a data regulator or data protection authority?
- How can I find out if my personal data was involved?
- Why did it take so long to notify me?
On March 23, 2022, The Church of Jesus Christ of Latter-day Saints, a Utah corporation sole (CHC) detected unauthorized access to certain computer systems. We immediately notified federal law enforcement authorities in the United States and were asked to keep the incident confidential to protect the integrity of the investigation. This instruction was lifted on October 12, 2022, and we notified affected individuals. U.S federal law enforcement authorities suspect that this intrusion was part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals.
2. What personal information was affected?
The breached systems contain personal data, including basic contact information, of members of The Church of Jesus Christ of Latter-day Saints. The data accessed may include, if you provided it, your username, membership record number, full name, gender, email address(es), birthdate, mailing address, phone number(s), and preferred language. The affected data did not include donation history, or any banking information associated with online donations.
3. Who can I talk to about this?
If you have further questions or concerns, please contact us at: www.ChurchofJesusChrist.org/DataPrivacy.
4. What is the Church doing to prevent this from happening again?
We take protecting the personal data entrusted to us seriously and are taking every action to keep your information safe. We have been working with external forensic experts, U.S. federal law enforcement, and other cybersecurity professionals to investigate the incident and further enhance the security of Church systems.
5. What steps do I need to take?
We have no indication that any of your personal data has been misused or published. We recommend that you remain vigilant about the security of your personal data by monitoring your personal accounts, frequently changing passwords, selecting strong and different passwords for every account, and taking action on any suspicious activity. You should promptly report to law enforcement authorities any fraudulent activity, scam, or identity theft.
6. Why did the Church have my data?
The personal data involved was the result of the creation of an online Church account or the result of employment with the Church.
7. Did you report this to a data regulator or data protection authority?
We have notified relevant data protection authorities.
8. How can I find out if my personal data was involved?
If you did not receive a notification email, it is unlikely your personal data was involved.
9. Why did it take so long to notify me?
The Church was coordinating with law enforcement authorities and was asked to keep the incident confidential to protect the integrity of the investigation. This instruction was lifted on October 12, 2022.