Cyber Incident Victim: Saint Paulus Lutheran Church

On May 6, 2020, Saint Paulus Lutheran Church in San Francisco held a virtual Bible study session via Zoom attended by eight participants, primarily pensioners. During the session, an unidentified hacker hijacked the meeting, disabling participants’ computer controls and displaying graphic videos depicting child sexual abuse and physical violence against infants and children. The assailant, described in subsequent legal filings as a "known offender" previously reported to authorities, interrupted the gathering with what the church later characterized as "sick and sickening" footage. When attendees attempted to terminate the session and restart it, the attacker repeated the intrusion, prolonging the disruption. The incident occurred amid widespread reports of "Zoombombing"—unwanted intrusions into video conferences—as Zoom’s usage surged during COVID-19 lockdowns.

Saint Paulus leadership contacted Zoom for assistance immediately following the attack but asserted the company "did nothing" in response. On May 13, 2020, the church filed a proposed class action lawsuit against Zoom in U.S. federal court in San Jose, alleging negligence, breach of implied contract, unjust enrichment, and unfair business practices. The suit sought unspecified damages, citing Zoom’s failure to prevent the intrusion despite prior security criticisms, including misleading claims about end-to-end encryption. Zoom issued a statement on May 14 condemning the incident, confirming it had identified and blocked the perpetrator on the day of the attack and reported them to authorities. The company attributed the breach partly to the church’s broad sharing of meeting access credentials, while highlighting recent security updates. The intrusion caused documented distress to elderly participants and intensified scrutiny of Zoom’s privacy safeguards during its rapid global adoption.