DioVA hacked, suffers major losses

It was bound to happen.

Earlier today, the Episcopal Diocese of Virginia announced that the Trustees of the Funds (TOTF) experienced a major cyber attack. The TOTF holds investment funds for the Diocese, numerous parishes, and related organizations.

As a result of the hack, two parishes lost investment funds. While the Diocese has not disclosed the amount of the loss, the amount is substantial. Insurance will cover most of the loss.

In response, the Diocese announced a review of IT security at the TOTF, diocesan offices, and related organizations. In addition, the Diocese encouraged parishes and other constituent organizations to review their IT security measures and committed to full transparency about the breach.

Our take

First, let’s call a spade a spade. The only surprise is that it took so long for this to happen. Until recently, the Diocese didn’t know what assets it had in its portfolio. Nor could it identify specific requirements for restricted funds. Thus, the Diocese lacks even rudimentary internal controls, which makes it an attractive target for all kinds of misconduct. That includes both internal and external actors.

Second, until now, the Diocese and constituent parishes have had almost no concept of IT security. That includes:

Woefully outdated IT hardware.
Easily guessed passwords.
No investment in basic data security.
Utter indifference to the issue.
Failure to use U2F, encryption, or other basic security measures.

So, yet again, the only surprise in all of this is that it took this long, and that the damage was relatively minimal.

Third, we should look at the Diocesan’s stated goal of building trust through transparency. This from an entity that flatly refuses to follow church canons. It doesn’t publish financials, release audits, or provide specifics of its finances. Indeed Bishop Lee’s compensation only came to light during the property recovery litigation. Nor does it comply with safe church requirements enacted by General Conference. So building trust is a worthy goal, but the Diocese has enormous work to do in these areas.

Even worse, in the past, the Diocese has falsely stated that everything is going great. This sort of fabrication makes it difficult for members to assume that statements made by leaders are trustworthy. Once bitten, twice shy. So it will be an arduous process for the Diocese to earn trust.

Even now, as the Episcopal Church moves into what appears to be its final years, it controls significant assets. So let’s hope today’s news leads the denomination to improve overall governance and IT security. As things stand, safeguards against this sort of thing are woefully inadequate.

pca nomore on Proclamation Presbyterian: another sordid mess in PCA emerges: “The Sordid Mess at Proclamation Presbyterian continues. Proclamation Presbyterian’s Senior Pastor Ben Falconer announced early this year, after the sexual…”

Colin Ross on Falls Church Anglican releases addendum to sexual abuse investigatory report; result is underwhelming: “Purity culture was one of the saddest jokes these Christians played on us. Its an inherently evil, barbaric doctrine to…”

Jaybird on Falls Church Anglican releases addendum to sexual abuse investigatory report; result is underwhelming: “The church’s response is disturbing.”

Veritas on The truth matters: Letter disproves Bishop Lucinda Ashby’s claims about registered sex offender: “The psychology of why clergy will sometimes make knowing misstatements of fact should be studied. It seems that there is…”

Concerned on The truth matters: Letter disproves Bishop Lucinda Ashby’s claims about registered sex offender: “The bishop took the time to write up a public statement and have the diocesan spokesperson issue a statement. But…”

Our take

Leave a Reply Cancel reply