IMB data breach prompts 'comprehensive response'
The Southern Baptist entity began a "comprehensive response" immediately upon discovering the cyber security incident and promptly notified law enforcement officials, according to a statement released to Baptist Press today (July 16), parallel to one released to North Carolina Baptists' newsjournal, the Biblical Recorder, on July 12.
The full text of the IMB statement follows this story.
The IMB said it "deeply regrets any inconvenience or concern this security compromise may cause" and emphasized that newly implemented protections "will improve our ability to detect and respond to threats to our data networks."
The IMB began contacting individuals potentially affected by the "unauthorized intrusion" on July 6, offering free enrollment in an identity protection and credit monitoring program, as well as access to a toll-free call center for inquiries and assistance.
One of the letters mailed to potentially affected individuals was obtained by the Recorder. It said the IMB "discovered unusual activity in our IT network" on April 11.
Investigations by law enforcement and independent digital forensic experts are ongoing, the IMB said. Investigators confirmed to the IMB that an "unknown external actor" gained access to personnel records that contained names, addresses, birth dates, contact information, Social Security numbers and limited health information.
The breach did not affect the IMB's financial systems, email systems or operational records, the statement said, and that IMB officials have received no indication to date that the compromised data has been misused.
Statement from the International Mission Board on Data Security Incident
On July 6, 2018, the International Mission Board (IMB) notified potentially impacted current and former employees, volunteers, and applicants of a data security incident that may have resulted in unauthorized access to their personal information. The notification followed an extensive investigation which determined that an unknown external actor accessed a data file within our IT system that contained personal information of individuals who had applied to serve with IMB as field personnel, volunteer, or home office staff. The security issue has been resolved and, although there have been no reports to date of the misuse of anyone's data as a result of this incident, out of an abundance of caution, we are offering free support services -- including credit monitoring and identity protection – to anyone whose personal data may have been impacted.
Upon initial discovery of the unauthorized intrusion by internal IT staff, we immediately initiated a comprehensive response to secure our system, investigate the issue, and enhance data security. The incident was promptly reported to law enforcement and IMB is cooperating with their ongoing investigation. We also engaged leading independent data forensics experts to assist with our own investigation and to help determine what information may have been accessed. In early June, the forensic experts were able to confirm unauthorized access to a data file containing application information including a mix of names, addresses, telephone numbers, email addresses, Social Security numbers, dates of birth, and limited health information for some individuals. The incident did not impact the IMB financial systems, email systems, or operational records. Although the investigation is ongoing, the identity and motive of the unauthorized intruder remain unknown.
Since investigators were unable to determine access to any specific individual records, we sent letters of notification to all individuals whose information was contained in the exposed data file. We also established a toll-free call center to answer questions and assist with enrollment into free credit monitoring and identity protection services. We encourage potentially affected individuals to take advantage of these precautionary services.
IMB deeply regrets any inconvenience or concern this security compromise may cause. The company takes very seriously our responsibility to protect the information entrusted to us. We have already implemented new security technologies around our most sensitive systems and data, which will improve our ability to detect and respond to threats to our data networks.