Data breach at Twin Cities-based Catholic financial services provider affects nearly 130K accounts
This story has been updated to correct references to the name of the financial services company.
ARDEN HILLS, Minn. — A data breach at an Arden Hills-based financial services company serving Catholic Church members in the upper Midwest has affected nearly 130,000 current and former members.
The unidentified hacker accessed the first and last names, mailing addresses, dates of birth, email addresses, insurance policy information, and Social Security numbers of members. Beneficiary information, log-in credentials and other information were not accessed.
“I want you to know that we take our responsibilities as your financial partner extremely seriously, and our response to this incident will demonstrate (that) to our members,” Harald Borrmann, who serves as chairman and president of Catholic United Financial, said in an Oct. 4 notice to members.
An estimated 127,310 current and former members may be affected, including 7,356 deceased members, the letter said.
The nonprofit Catholic United Financial, which offers insurance, investment and other services, currently serves 84,000 members in Minnesota, North Dakota, South Dakota, Wisconsin and Iowa, according to its website.
Borrmann said Catholic United Financial worked quickly to notify members.
“On September 6, 2017, Catholic United Financial became suspicious that there may have been an attack on its web server resulting in possible unauthorized access to its members’ personally identifiable information,” Borrmann said in a written statement Monday. “That same day, Catholic United Financial hired outside forensic investigators to assess the situation and determine whether such a breach had occurred. Simultaneously, Catholic United Financial removed all potential access to personally identifiable information on its web server and secured the web server from any possible further attack.”
A Sept. 7 post on the company’s Facebook page announced that the website was down for maintenance.
The forensic investigation determined that the company’s web server had been attacked via SQL injection, a code injection technique often used to steal or change identity information. The attacks may have followed unauthorized access by attackers to personal information of those who were members as of Nov. 12, 2016, the letter said.
Catholic United Financial told members that it immediately shut down the website when the incident was discovered. They are now restoring the website “with even more enhanced security measures and programming,” the letter said. It added that the company is “hardening its security with the help of outside experts” as well.
The company told members it does not how much time and money it will require to rectify the situation.
Joseph Annotti, president and CEO of American Fraternal Alliance, of which Catholic United Financial is a member, said Catholic United Financial is no more or less vulnerable than the other dozens of companies that have suffered data breaches.
“Every corporation that maintains information about customers — whether that’s credit card numbers, Social Security numbers or other information — that is valuable to be resold on the Web,” Annotti said. “No amount of best practices or prohibitive steps is going to stop a determined hacker.”
Catholic United Financial is cooperating with investigations by the Ramsey County sheriff’s office as well as the FBI.
WHAT TO DO IF YOU WERE HACKED:
Catholic United Financial sent information to all members about how to proceed if hacked. The Federal Trade Commission offers additional information online at www.identitytheft.gov.
Members may also call the company during business hours with further questions at 1-833-202-7414.
The Pioneer Press is a Forum News Service media partner.