Screenshot 2023-01-13 at 1.50.18 PM


Reporting the Truth.
Restoring the Church.

Cyberattackers Target Episcopal Diocese of Virginia in $400,000 Theft

By David Paulsen
cyberattack cyber episcopal
More than $400,000 was stolen in a cyberattack on trust funds managed on behalf of the Episcopal Diocese of Virginia, prompting new security measures. (Photo: Tianyi Ma / Unsplash / Creative commons)

More than $400,000 was stolen in a cyberattack on the trust funds managed on behalf of the Diocese of Virginia of The Episcopal Church and its churches, prompting the diocese’s fund manager to implement new security measures.

The fraud occurred in November and December 2022. After it was discovered, the diocese first released details in January, though the full scope of the cyberattack wasn’t known until more recently, according to statements released on Sept. 8.

The cyberattack involved three transactions, two intended for parishes and one for the diocese. Cyber criminals were able to divert $412,868 in payments to unauthorized accounts. The fraud was discovered when the two parishes notified the diocese’s investments manager, known as Trustees of the Funds, that they had not received the $327,541 requested in withdrawals from their two accounts. Another payment of $85,327 intended for the diocese also was diverted, but that fraud was not detected until recently because it was part of a routine distribution.

The Trustees of the Funds manages investments for about 120 churches in Virginia and more than 80 affiliated institutions. Its core fund was valued at more than $122 million as of June 30,  according to information on its website. Participating parishes can make withdrawals to cover a range of expenses, such as charitable giving, building maintenance, construction and operations.

“We know that this is a disturbing matter, and we want to assure everyone that the staff and board are taking this very seriously,” the Trustees of the Funds said in its Sept. 8 message. While the diocese was fully reimbursed for its missed payment, the Trustees of the Funds sustained a total uninsured loss of $388,000 from the cyberattack and was forced to make a one-time reduction in its investment performance of 0.06%.

Your tax-deductible gift helps our journalists report the truth and hold Christian leaders and organizations accountable. Give a gift of $30 or more to The Roys Report this month, and you will receive a copy of “Baptistland: A Memoir of Abuse, Betrayal, and Transformation” by Christa Brown. To donate, click here.

episcopal cyberattack
St. George’s Episcopal Church in Fredericksburg, Virginia, is one of about 120 churches with money invested through Trustees of the Funds. (Photo: St. George’s, via Facebook)

The Trustees of the Funds’ message also said the cyberattack has been reported to the FBI and local police. Security upgrades have included new software, computer monitoring, scam testing, new withdrawal processes and increased security for internal emails. Officials suspect the breach happened because the perpetrators were able to access internal emails and used that access to divert payments.

“We take the safe stewardship of diocesan and congregational investments seriously and we are grieved by this criminal breach,” the diocese said in a statement released Sept. 8 by the office of Bishop E. Mark Stevenson. “We are thankful that this breach did not occur after the increased security measures were put in place. It is encouraging that these increased measures are working to prevent future attempts by cyber criminals. As always, the Diocese of Virginia is committed to full transparency with all members of the diocese regarding data security issues.”

This article originally appeared at Episcopal News Service.

David Paulsen is a senior reporter and editor for Episcopal News Service.



Keep in touch with Julie and get updates in your inbox!

Don’t worry we won’t spam you.

More to explore

Leave a Reply

The Roys Report seeks to foster thoughtful and respectful dialogue. Toward that end, the site requires that people register before they begin commenting. This means no anonymous comments will be allowed. Also, any comments with profanity, name-calling, and/or a nasty tone will be deleted.
MOST popular articles