Cyber Incident Victim: Diocese of Las Vegas
Date:
Mar 2023
Location:
United States of America
Summary
The Diocese of Las Vegas disclosed a cybersecurity breach involving potential compromise of sensitive information belonging to volunteers, parishioners, donors, and other stakeholders. While no evidence of fraud, identity theft, or misuse of personal data was identified, the organization engaged cybersecurity experts, notified law enforcement, and began notifying potentially impacted individuals. Employee payroll and benefits data remained unaffected due to storage on separate cloud-based systems. In response, the organization reviewed and strengthened its data security measures and established a dedicated call center to address inquiries from concerned parties.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Diocese of Las Vegas disclosed a cybersecurity breach on March 12, 2023, after discovering unauthorized access to systems containing sensitive information belonging to volunteers, parishioners, donors, and other stakeholders. The organization immediately notified law enforcement and engaged external cybersecurity experts to assist with containment and forensic analysis. Though the investigation found no evidence of fraud or identity theft stemming from the incident, the Diocese elected to issue public notifications out of caution due to the potential exposure of personal data. Impacted parties were informed through a formal news release, which emphasized transparency but did not disclose technical details regarding the intrusion vector, duration of unauthorized access, or specific data types confirmed as compromised. The Diocese confirmed that employee payroll records, benefits information, and Catholic Stewardship Appeal donor data were unaffected because these systems operated on separate cloud-based servers not implicated in the breach.
In response to the incident, the organization conducted a review of its data security policies and implemented enhancements designed to reduce recurrence risks, though no technical specifics of these changes were provided. A dedicated call center (1-833-570-3056) was established to field inquiries from potentially affected individuals during weekday hours from 6 a.m. to 6 p.m. Pacific Time. The Diocese publicly apologized for concerns or inconveniences caused by the breach, reaffirming its commitment to data privacy and security while acknowledging the incident’s potential to undermine stakeholder trust. No ransomware involvement, data destruction tactics, or financial demands were referenced in the disclosure, and the investigation remained ongoing at the time of reporting with no additional follow-up details provided. The organization maintained its operations throughout the response period with no reported disruptions to religious services or community programs.