Every modern organization, at some level, utilizes information as a resource. This resource can be divided into different categories. An organization’s name and address? Everyone can have access to it. That’s Public. The organization’s budget? Likely only employees need to know that. That’s Internal or Private. What about a complete list of an organization’s donors or members? Only a few need to know that. That’s Restricted or Confidential. Of course, we want those with the proper authority to have access to the appropriate information, that’s an essential part of doing business. Before the internet, sensitive information was kept in a locked cabinet, behind a locked door, and with a guard posted on 24-hour watch. Since the advent of the information age we have systems that serve a similar purpose, but getting to that guarded door is far easier. Today, it’s not necessarily a question of ‘if’, but a question of ‘when’ that security might be tested. Will we be ready? Will we have a plan? And when those things potentially fail, how will we handle it?

Businesses and nonprofits—especially churches—have an ethical obligation to be transparent when data breaches occur. Failing to notify affected individuals in a timely and honest manner violates core ethical duties of care, integrity, and stewardship.

I’ll be reviewing a situation that’s all too common. A church organization experiences a data breach and its congregants are financially exploited. We’ll review potential causes, how the threat actors work, the ethical principles at stake, and the most ethical ways to respond. We’ll also talk through potential obstacles. The goal is ultimately for those who have just experienced a breach to have a greater understanding and clarity so they can be empowered to take confident and informed next steps.

What commonly happens?

My wife logged into our church account to donate. Almost immediately she received an email from the ‘pastor’ (the source email address wasn’t correct but many people don’t necessarily check every detail) asking her if she was available because he had a special request. Shortly thereafter she also received a text message from the ‘pastor’ (the phone number wasn’t correct but the area code was appropriate). We have a fairly informal relationship with the real pastor so she messaged him back asking what he needed. The ‘pastor’ messaged her saying he wanted to bless the administrative staff with a surprise. ‘He’ asked her if she could go and buy Apple gift cards, and then text him pictures of the front and back of those gift cards. Thankfully, this seemed out of character to my wife and she came to me and I quickly pointed out the strange timing and inconsistencies. Knowing how these schemes work I knew we wouldn’t be the only ones. This took place in the latter morning and we immediately notified administrative staff so they could take prompt action.
Churches are filled with some of the most vulnerable. The elderly, the sick, the spiritually sick, the poor, those just coming out of addiction, and those just beginning to recover from mental illness. This vulnerability is compounded when a trusted servant asks them to go above and beyond to bless someone. And churches are communities of trust. That basis of trust is exploited to push these vulnerable individuals into making a hard decision.

Non-profits and churches specifically have fundamentally weaker information security systems. Often, in the non-profit industry, there just isn’t the financial backing there is available in for-profit business systems, and that often means that these, even very popular, non-profit systems are lagging behind in terms of security.

After notifying the administrative staff we were repeatedly insistent that some church-wide notification be sent regarding what happened to us. Hours went by and we felt very ghosted. I can only assume they were scrambling to secure their systems. Then, almost 12 hours later, at nearly 8 pm we did finally receive a church-wide email. The email detailed that they had received several reports of malicious messages being sent to congregants and that if they received a message that seemed out of character they should contact staff by phone before taking any action.

There are so many ethical principles at stake in situations like this. But I think it’s important for churches especially to ask themselves first what their stance is on honesty, care, and stewardship. All these are related and foremost an organization should practice what they preach.

What should an organization’s guiding principle be when it comes to integrity?

We can look at it from the perspective of virtue ethics. Too much honesty and we just have another kind of information leak, gossip. Too little honesty, and we’re denying the truth. Can we show proper respect when we hide what happens? But with the proper balance, people receive what brings light to their lives. I find deontology to be one of the weakest ethical frameworks to apply in the wider context of organizations. But regarding integrity I find it to be very persuasive. “Act only on that maxim through which you can at the same time will that it should become a universal law” (Kant, ““Groundwork for the Metaphysic of Morals”). This is essentially a fundamental definition of integrity itself. Along those same lines, I think that the sacred texts of many churches can contribute something similar, “The integrity of the upright guides them, but the crookedness of the treacherous destroys them. (ESV Bible, Proverbs 11:3)” Are we genuinely showing integrity if we don’t plan for or promptly disclose a data breach?

What principals should guide an organization regarding care?

Care is such a fundamental part of many non-profits and for churches specifically. And care is more than about what services are offered to them on any given Sunday, it’s also about how people are considered the rest of the week. Considering this along the lines of virtue ethics. Too much care and we coddle those we serve, and they never learn or grow. But too little care and it’s as if the organization is a detriment rather than a benefit to those they serve. The right balance brings with it a kind of protection that promotes growth. Again, I think the church’s scriptures speak most clearly when they say, “And the King will answer them, ‘Truly, I say to you, as you did it to one of the least of these my brothers, you did it to me.’ (Matthew 25:40)” Are we showing care if we don’t warn people promptly that some with malicious intent may have their personal information?

What principals should guide an organization regarding stewardship?

It’s by good stewardship that an organization emerges from a mere concept. It’s by good stewardship an organization can sustain itself. But an organization is more than its leadership and staff, it is also comprised of those it serves. Organizations are entrusted with and by those they serve. From the utilitarian perspective, doing nothing causes further harm. From the perspective of virtue ethics, too much stewardship could look like micromanagement or it might manifest in the form of hyper-focus, to the detriment of other virtues. An organization could spend so much time securing its information that it can’t fulfill its primary purpose. On the other hand, not enough stewardship and the entire ship rots away. The Scriptures speak of stewardship in the parable of the Talents. The good servant takes risks, works hard, while trusting, and invests his talents. The wicked servant does nothing (Matthew 25:14–30). Can we say we’re good stewards if we don’t prepare or if we say nothing when a breach happens?

What specifically happened?

I think it’s important to break down what likely happened in this case while also examining how it could have been prevented. Non-profit employees often fill many different roles. Along the way, an individual was set up as an administrator in the donation acceptance system. It’s possible they used a personal email for the account setup, but organization-related accounts should always use an organization email. That way when they leave the organization still has control over account access. But more importantly, when an individual leaves an organization they need to have access either revoked or transferred to a different account. Over time this email was involved in a separate data breach. You can, and should, check haveibeenpwned.com to see if your email and password have been involved in a data breach. The threat actors used that breach information to log in to the email and then used access to that email to gain administrative access to the church’s donation system. From there the threat actors had access to recent logins and the related contact information. From there the threat actors made email addresses and internet phone numbers based on the church leadership’s information. And finally, they then began ‘phishing’ congregants for gift cards.

What should the church have done differently?

The National Institute on Standards and Technology has an excellent prevention plan and procedures document regarding data breaches. It’s the industry standard and can be found at csrc.nist.gov/pubs/sp/1800/29/final (Fisher et al., Data Confidentiality: Detect, Respond to, and Recover from Data Breaches). Rather than reviewing it verbatim here are a few suggestions that align strongly with the standard.

1. Upon discovery of the problem the administrative staff should have immediately notified everyone affected, essentially everyone in the member database, that there was a data breach. This is critical even before remediation begins because clean-up can sometimes be a long process and every minute lost is another opportunity for additional harm.
2. That notification should include details and an explicit warning. “We’ve been informed that bad-faith actors are exploiting our member database and asking congregants to purchase gift cards and send photos of those gift cards to staff via text. Our staff will never request you send us gift cards.”
3. The administration should offer support. “Do feel free to notify us if you’ve received such a request and if you have any questions. Also, you may consider changing your password on the affected site.”
4. Report the breach. This includes local police which is important for insurance and if any theft took place. Also, notify the software platform where the breach happened. Often the software platform is aware of, and prepared for, these types of situations and they may be specifically able to identify where it happened, and what exactly was the cause of the breach.
5. Take steps to prevent a future breach. This begins with analyzing the weaknesses that led to the breach and taking steps to address those specific gaps in security. From there, additional steps should be taken to utilize the latest security resources like Multi-Factor Authentication, or a PassKey. And still more, administrative staff should devise a simple and engaging training program so everyone in the office is prepared for future issues. Again, in non-profits roles often change and grow. If everyone has some level of training an organization will be better prepared for when, not if, this happens again.

But what if…?

What might hold an organization back from being transparent? Is it fear of the loss of reputation? Is it the lack of IT staff or awareness or training? Is it the belief that the breach is not their responsibility or that the issue is minor and doesn’t warrant greater attention? Every organization should consider these with the ethical reasoning we reviewed above. But also consider this. Integrity builds long-term trust. Trust is hard to earn and easy to lose. Hiding a breach may offer temporary relief from the issue, but history has shown that these breaches never remain hidden. And that hiding them actually causes more damage when they’re inevitably exposed. Also, consider that non-profits and churches need to hold themselves to a high level of ethical behavior and accountability in all situations. Even when those situations come with a degree of uncertainty.

In an age where information is both a powerful tool and a potential liability, non-profits and churches specifically must be proactive in their commitment to transparency and integrity. The phishing scam we experienced in our church community illustrates the very real harm that can come when sensitive data is mishandled, or when those responsible delay acknowledging a breach. Ethical principals such as integrity, care, and stewardship are not abstract ideals. They are the backbone of trust in any organization. Especially one rooted in service and moral teaching. By responding to breaches swiftly, communicating clearly, and preparing with both policy and training, organizations can minimize harm and demonstrate their values in action. To hide, delay, or downplay such an event is to risk the very heart of the community they aim to serve. When it comes to information security and ethics, the clearest and most moral path is also the most transparent one.