By Brent Lacy

The Data Breach That Put Hundreds of Parishioners at Risk

In August 2025, a cyber attack on a software vendor used by the Church of England compromised the personal data of hundreds of parishioners across at least ten dioceses. The company, APCS, provided Disclosure and Barring Service (DBS) checks for churches. When its software supplier, Intradev, was breached, the stolen data included names, dates of birth, email addresses, postal addresses, places of birth, gender, National Insurance numbers, passport details, and driving licences (Church Times, 29 August 2025). The diocese of Southwark offered affected individuals 12 months of free credit monitoring through Experian and warned that “the potential impact on any affected individuals may include identity theft.”

That attack targeted the Church of England’s infrastructure. But the same tactics — phishing, business email compromise, ransomware, and vendor exploitation — are actively being used against small and rural churches across the United States. The only difference is scale.

Why Churches Are Targets (Even Small Ones)

If you think your church is too small to be hacked, you have the exact mindset hackers are counting on.

Cybercriminals are not looking for important organizations. They are looking for easy organizations. A 2024 Verizon Data Breach Investigations Report found that 43% of all cyberattacks target small organizations — those with fewer than 500 employees or the equivalent. Small and rural churches are among the easiest targets available because they typically have:

– No dedicated IT staff
– No cybersecurity training
– Outdated equipment (because the budget is tight)
– Volunteers handling sensitive data (because everyone wears multiple hats)
– A culture of trust (which criminals exploit maliciously)
– Valuable data (member financial information, personal details, payroll data)

Enable Ministry Partners, a firm that has served churches in technology security for 25 years, puts it plainly: regardless of awareness, most churches remain vulnerable because they lack formal security protocols, adequate training, and appropriate tools. The threat is not theoretical. It is active and growing.

The Five Attacks Your Church Will Face

1. Business Email Compromise (Account Takeover)

The scenario works like this: a hacker gains access to a church staff member’s email account — not through sophisticated technology, but through a trick. They send a fake login page that looks exactly like Gmail or Outlook. The staff member types in their password. Now the hacker has it.

Once inside, the hacker reads the email history to learn communication patterns. Then they send emails that sound perfectly normal — requesting wire transfers, changing giving platform login credentials, asking for gift card codes for a “youth group emergency.”

The people receiving these emails have no reason to doubt them. The emails come from a trusted colleague’s account. They use the right tone. They reference real events. And by the time anyone realizes what happened, the money is gone.

2. Vendor Email Compromise

This one is sneaky. The attacker does not even hack your church directly. Instead, they hack one of your trusted vendors — the landscaper, the security company, the sound equipment supplier. Then they send an email from the vendor’s real email account with updated banking details: “Hi, please note our new account information for your next payment. Thanks!”

Your church updates the records. The next scheduled payment goes to the hacker. Weeks later, the real vendor calls asking why they haven’t been paid.

3. VIP Spoofing

The attacker impersonates your senior pastor — not through email, but through text messages or phone calls. They might call the office administrator and say: “Hey, I’m at a conference and my card is getting declined. Can you text me a few gift card codes? I’ll pay the church back next week.” This works more often than you would believe, because the request comes from someone in authority and church staff are helpers by nature.

4. Church Management System Account Compromise

Most church management systems (Planning Center, Breeze, Church Community Builder, Shelby, etc.) contain the personal information of your entire congregation: names, addresses, phone numbers, email addresses, birthdates, family connections, giving history. If a hacker gets the login credentials of any staff member or volunteer with access to this system, they can download your entire member database.

That information can then be used for targeted scams against your own congregation. A hacker with your member list can send personalized phishing emails that look like they are from your church. Attackers launch follow-up attacks against individual congregants whose data was stolen, including identity theft and financial fraud.

5. Ransomware

This is the big one. A hacker gains access to your church’s network — often through an unpatched security vulnerability in old software or a clicked phishing link. They encrypt every file on every connected computer. Every sermon file, every financial record, every membership database, every archived newsletter. All locked. All held hostage.

Then you receive a message: “Pay us $50,000 in cryptocurrency within 72 hours, or we publish all your data online and you never get it back.”

In 2024, the ransomware gang Rhysida attacked First Baptist Church of Hammond, Indiana, breaching personal data of church staff, missionaries, and volunteers. The church was given seven days to pay $600,000. One megachurch. One click.

Your church is smaller. The ransom demand would be smaller too. But for a church on a $100,000 budget, even a $5,000 demand is unpayable.

The question is not “would someone target our church?” The question is “if it happened Tuesday, what would we do?”

The Near Misses You Never Hear About

For every church that makes the news because of a successful ransomware attack, there are hundreds of near misses that never make it to the headlines. These are the incidents that almost happened but did not — usually because someone happened to notice something slightly wrong at the right moment:

– A treasurer who double-checked a wire transfer request by phone before sending (and discovered the email was fake)
– A secretary who noticed that a “giving platform password reset” email came from a slightly wrong domain
– An administrator who recognized that the “new vendor banking details” email was sent at 2 AM from a vendor in a different time zone
– A pastor who decided to change all church passwords after a team member’s personal email appeared in a data breach report

Near misses are not luck. Near misses are evidence that your systems are being probed, tested, and targeted. The only question is whether the next attempt will also be a miss — or whether it will finally succeed.

In their book Near Miss: Preventable IT Failures Threatening Your Security, IT veteran Brent Lacy describes near misses as “the silent threats that build up until one of them triggers a catastrophic failure.” Churches are full of near misses happening quietly every week. The old computer that could die tomorrow. The volunteer with the password written on a sticky note. The email account with no two-factor authentication. The backup that has not been tested in months.

You are not safe because nothing bad has happened. You are one moment away from something bad happening.

The Power User Problem

Churches have a unique vulnerability that most businesses do not: the well-meaning tech-savvy volunteer.

Dave is a retired IT professional who attends your church. When the church computer was acting up, Dave fixed it. When the sound system needed new software, Dave installed it. When the church needed someone to manage the website, Dave volunteered. Dave is wonderful. Dave is also — unintentionally — your biggest security risk.

Why? Because Dave has administrator access to everything. Dave’s personal laptop, which he uses for church work, also has his grandchildren playing online games on it. Dave uses the same password for his personal email and the church server because “it’s easier to remember.” Dave installed free remote access software on the church computer so he could help troubleshoot from home, and that software is not secured with two-factor authentication.

Brent Lacy, in his Near Miss book, calls this “The Myth of the Power User” — the dangerous assumption that because someone is good with technology personally, they understand organizational security. They usually do not. And giving one person unrestricted access to every system creates a single point of failure that can bring everything down.

The rule is simple: no one person should have access to everything. Not even Dave. Not even the pastor.

The Sticky Note on the Monitor

Another common scene in small churches: the office computer monitor has a sticky note with the admin password written on it. Or the Wi-Fi password is written on a whiteboard in the office. Or the same four-digit code opens the supply closet, the Wi-Fi network, and the security system.

These feel harmless because everyone in the church family is trusted. But security breaches at churches rarely come from outside attackers guessing passwords. They come from:
– Former volunteers who still have access
– Members who left the church on bad terms but still know the systems
– Visitors who observe weak security practices
– Family members of volunteers who have access to shared devices

What to Do: A 30-Day Church Security Checklist

You do not need a $50,000 security system. You need to do the basics consistently. Here is what responsible stewardship looks like — most of it costs nothing:

Week 1: Access Audit (Free)
– List every person who has a password to any church system
– Remove access for anyone who no longer serves in that role
– Verify that no one person has access to everything
– Change any default passwords on routers, cameras, or management systems

Week 2: Authentication Upgrade (Free)
– Turn on two-factor authentication (2FA) for every email account associated with the church
– Turn on 2FA for your giving platform, website hosting, and church management system
– Set up a church password manager (Bitwarden has a free plan; 1Password has a family plan for $3/month)
– Replace any passwords that are names, Bible verses, or single dictionary words

Week 3: Backup Verification ($10-$20/month if you do not already)
– Back up your church management system database to a cloud service (Google Drive, Dropbox, Backblaze)
– Back up financial records, sermon files, and membership data to a separate off-site backup
– Test the backup — pretend your church computer died tomorrow. Can you actually restore from the backup? If you have not tested it, you do not have a backup. You have a wish.

Week 4: Education (Free)
– Share this article with your board and key volunteers
– Discuss: What would we do if our email was hacked tomorrow? If our data was encrypted by ransomware? If a fraudulent wire request came through?
– Write down the answer. That is the beginning of an incident response plan.
– Assign one person to be responsible for security — not to do everything, but to make sure nothing falls through the cracks

What to Do When It Happens

Despite your best efforts, an incident may occur. Here is your response plan:

1. Do not panic, and do not pay immediately. If you receive a ransomware demand, contact your insurance provider and a professional before paying anything. Do not negotiate alone.
2. Do not use the compromised systems. If you suspect a breach, disconnect affected computers from the network immediately.
3. Contact your bank immediately. If a fraudulent wire transfer was initiated, your bank may be able to reverse it if you act fast.
4. Document everything. Take screenshots, note times, save emails. You will need this for insurance and possibly law enforcement.
5. Notify affected individuals. If personal data was compromised, your congregation deserves to know. Be honest. They will respect honesty far more than a cover-up discovered later.
6. Report the incident. File a report with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. This helps law enforcement track patterns and protect other organizations.
7. Learn from it. After the crisis, conduct a review: What failed? What worked? What will you change?

The Bottom Line

Your church handles the personal information of every family in your congregation. You manage real money. You hold real responsibility. The people who gave you their addresses and birthdays and children’s names did so trusting you to protect that information.

Responsible technology stewardship is not a luxury for churches with extra budget. It is a baseline expectation of faithful leadership.

The 30-day checklist above costs almost nothing. It requires no technical expertise. It requires only the willingness to take the first step.

The question is not whether your church can afford to do this.

The question is whether you can explain to your congregation why you did not.

Frequently Asked Questions

What are the most common cybersecurity threats to churches?

Phishing emails targeting staff, ransomware attacks on church management systems, and unauthorized access to financial data are the most common threats small churches face.

How much does church cybersecurity cost?

Basic cybersecurity , strong passwords, two-factor authentication, and staff training , can be implemented at minimal cost. More comprehensive solutions range from $50-200/month.

What is the first step a church should take?

Enable two-factor authentication on all accounts, especially email and financial systems. This single step prevents the majority of unauthorized access attempts.

Should we be worried about our giving platform?

Reputable giving platforms invest heavily in security. The greater risk is usually staff email compromise that redirects giving or manipulates financial transactions.

How do we train our volunteers on cybersecurity?

Focus on three things: recognizing phishing emails, using unique passwords, and never sharing login credentials. A 15-minute annual training covers the essentials.

Sources

1. Pew Research Center, “Generative Artificial Intelligence in Daily Life”
2. Barna Group, “Creatively Engaging Gen Z”
3. MIT Technology Review, “What AI Can and Can’t Do for Your Church”

Frequently Asked Questions

How do we implement this in a small church?

Start with one or two key ideas from this guide. Implement them consistently before adding more. Small churches succeed through focus and faithfulness, not through doing everything at once.

What if we do not have enough people or resources?

Small churches have always done more with less. Focus on your strengths: close relationships, community knowledge, and the ability to adapt quickly.

Where can we learn more about this topic?

MinistryPlace.net offers free and affordable resources specifically designed for small and rural churches. Browse our resource library for guides, templates, and tools.