[BreachExchange] Data breach at Arden Hills-based Catholic financial services provider affects nearly 130K accounts

Tue Oct 17 15:35:31 EDT 2017

http://www.twincities.com/2017/10/16/catholic-united-financial-data-breach-may-have-affected-nearly-130k-accounts/

A data breach at an Arden Hills-based financial services company serving
Catholic Church members in the upper Midwest has affected nearly 130,000
current and former members.

The unidentified hacker accessed the first and last names, mailing
addresses, dates of birth, email addresses, insurance policy information,
and Social Security numbers of members. Beneficiary information, log-in
credentials and other information were not accessed.

“I want you to know that we take our responsibilities as your financial
partner extremely seriously, and our response to this incident will
demonstrate (that) to our members,” Harald Borrmann, who serves as chairman
and president of Catholic United Financial, said in an Oct. 4 notice to
members.

An estimated 127,310 current and former members may be affected, including
7,356 deceased members, the letter said.

The nonprofit Catholic United Financial, which offers insurance, investment
and other services, currently serves 84,000 members in Minnesota, North
Dakota, South Dakota, Wisconsin and Iowa, according to its website
<https://www.catholicunitedfinancial.org/>.

Borrmann said Catholic United Financial worked quickly to notify members.

“On September 6, 2017, Catholic United Financial became suspicious that
there may have been an attack on its web server resulting in possible
unauthorized access to its members’ personally identifiable information,”
Borrmann said in a written statement Monday. “That same day, Catholic
United Financial hired outside forensic investigators to assess the
situation and determine whether such a breach had occurred. Simultaneously,
Catholic United Financial removed all potential access to personally
identifiable information on its web server and secured the web server from
any possible further attack.”

A Sept. 7 post on the company’s Facebook page announced that the website
was down for maintenance.

The forensic investigation determined that the company’s web server had
been attacked via SQL injection, a code injection technique often used to
steal or change identity information. The attacks may have followed
unauthorized access by attackers to personal information of those who were
members as of Nov. 12, 2016, the letter said.

Catholic United Financial told members that it immediately shut down the
website when the incident was discovered. They are now restoring the
website “with even more enhanced security measures and programming,” the
letter said. It added that the company is “hardening its security with the
help of outside experts” as well.

The company told members it does not how much time and money it will
require to rectify the situation.

Joseph Annotti, president and CEO of American Fraternal Alliance, of which
Catholic United Financial is a member, said Catholic United Financial is no
more or less vulnerable than the other dozens of companies that have
suffered data breaches.

“Every corporation that maintains information about customers — whether
that’s credit card numbers, Social Security numbers or other information —
that is valuable to be resold on the Web,” Annotti said. “No amount of best
practices or prohibitive steps is going to stop a determined hacker.”

Catholic United Financial is cooperating with investigations by the Ramsey
County sheriff’s office as well as the FBI.

*WHAT TO DO IF YOU WERE HACKED: *

Catholic United Financial sent information to all members about how to
proceed if hacked. The Federal Trade Commission offers additional
information online at www.identitytheft.gov.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171017/55571aaf/attachment.html>