Cyber Incident Victim: Archdiocese of Denver

In October 2015, an unauthorized individual accessed a payroll database maintained by a third-party vendor for the Archdiocese of Denver, compromising the personal identifiable information of approximately 18,000 current and former employees and their dependents. The Archdiocese discovered the breach in late October 2015 but initially believed only a limited number of individuals were affected, issuing notifications in November 2015 to that smaller group. Subsequent reports from individuals outside the initial notification list revealed broader impacts, as multiple victims experienced fraudulent tax filings filed under their names using the exposed data. The compromised information included names, Social Security numbers, and addresses stored in the vendor-managed payroll system. By April 2016, the Archdiocese expanded notifications to all individuals in the database whose information might have been accessed, acknowledging the full potential scope of the incident. The breach’s exact entry point remained undetermined, though investigators confirmed access occurred through the third-party vendor’s systems.

The Archdiocese engaged a consulting firm to investigate the breach, secure the affected database, and implement additional security measures to prevent future incidents. It reported the breach to the Colorado Bureau of Investigation and offered credit reporting services and identity repair assistance to all potentially impacted individuals. While no specific attacker actions or intrusion methods were publicly identified, the Archdiocese emphasized collaboration with its payroll provider to restore data integrity. The breach’s primary confirmed consequences involved identity theft through fraudulent tax filings, directly linking the stolen data to criminal activity. No further details about containment timelines, forensic findings, or system modifications were disclosed beyond the implementation of enhanced security protocols.