In January, 2023, we informed the people of the Diocese of Virginia that the Trustees of the Funds, which oversees investment portfolios for the Diocese and many of its congregations, was the victim of a cyber attack that resulted in the diversion of funds intended for two congregations. (See January notice.)
At that time, we believed that these were the only two thefts in the data breach. The Trustees of the Funds (ToTF) immediately went on lockdown, notified law enforcement, and launched a full investigation of ToTF processes. They then engaged an IT firm to implement increased security measures and contracted with an independent company to manage fund transfers. The Diocese also increased IT security measures. By March 2023, these new procedures were fully in place.
Last week, in the process of the Diocese’s standard annual audit preparation, the Finance Office of the Diocese discovered that a third cash transfer sent by the ToTF was diverted by cyber criminals.
This transfer, in the amount of $85,326.92, was intended for the Diocese.
We want to be clear that this third incident was part of the same cyber attack in December 2022 and not a new breach. The reason the original investigation did not surface this transaction is that, unlike the transfers to two congregations, this transfer was part of a distribution that happens from time to time, rather than a request by the participant. Therefore, the Treasurer’s Office of the Diocese did not inquire about a missing transfer as the congregations did.
Immediately following the discovery, ToTF notified law enforcement and the ToTF voted to make the Diocese whole on the diverted funds.
We take the safe stewardship of diocesan and congregational investments seriously and we are grieved by this criminal breach. We are thankful that this breach did not occur after the increased security measures were put in place. It is encouraging that these increased measures are working to prevent future attempts by cyber criminals. As always, the Diocese of Virginia is committed to full transparency with all members of the Diocese regarding data security issues.