Cyber Incident Victim: FamilySearch
Date:
Mar 2022
Location:
United States of America
Summary
A genealogy website experienced a cybersecurity breach where hackers infiltrated its systems and accessed users' personal information, including full names, genders, email addresses, birth dates, and mailing addresses, though family tree data remained unaffected. The same attackers also compromised the personal details of members associated with the site's parent organization. The organization delayed notifying affected users for several months after discovering the incident and could not identify the perpetrators. The breach raised concerns about the timeliness of disclosure and the extent of compromised data across affiliated entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
FamilySearch, a genealogy website, experienced a cybersecurity breach involving unauthorized access to user data. The incident was discovered by the organization in March 2022, but affected users were not notified until October 13, 2022, via email communications. According to the notification, attackers exfiltrated personal information including users' full names, genders, email addresses, birth dates, and mailing addresses. FamilySearch explicitly stated that family tree data remained uncompromised in the breach. The organization acknowledged its inability to identify the perpetrators responsible for the intrusion.
The delayed disclosure occurred seven months after initial discovery, with public announcement following in October 2022. Evidence suggested the same threat actors targeted FamilySearch's parent organization, resulting in additional compromises of church members' personal information. The breach notification email addressed to account holders confirmed the exposure of sensitive personal identifiers while emphasizing the preservation of genealogical records. The incident raised questions regarding both the timeline of user notifications and the full extent of data accessed across related entities. Security analysts highlighted concerns about the prolonged gap between breach detection and public disclosure without further elaboration from the organization.