Earlier this month, genealogy website FamilySearch announced that hackers had broken into its systems and stolen personal data about its users.
The site, which is run by the Church of Latter-Day Saints (better known as the Mormons) and describes itself as “the world’s largest shared family tree”, informed affected users via email on 13 October 2022 about its data breach.
The email begins:
Dear Account Holder:
FamilySearch International, a Utah nonprofit corporation (“FSI”), detected an unauthorized network intrusion that affected personal data you previously provided. At this time, there is no indication that the data has been or is likely to be used for fraudulent or other harmful purposes. The affected data did not include users’ family tree data. We are notifying you and others worldwide whose data may have been affected, even where this is not legally required.
Yes, they’re notifying folks whose data may have been affected, “even where this is not legally required.”
That’s nice of them.
But hang on, read a little further…
“On March 23, 2022, we detected unauthorized access to certain computer systems. We immediately notified federal law enforcement authorities in the United States. We were asked to keep the incident confidential to protect the integrity of the investigation. This instruction was lifted on October 12, 2022.”
Umm.. so the hackers stole – amongst other data – users’ full names, genders, email addresses, birth dates, mailing addresses, phone numbers (all useful information that can be exploited by scammers)… but FamilySearch was asked to keep schtum about it.
But don’t worry…
The affected data did not include users’ family tree data.
So your great great great grandmother doesn’t have anything to worry about.
FamilySearch says it cannot determine who hacked its systems, but that US law enforcement authorities suspect the intrusion was “part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals.”
So there you go, nothing to worry about…
Which is just as well, because you’ll have a hell of a time changing your name, gender, birth date etc…
But seriously, shouldn’t affected users have been told sooner? Should law enforcement agencies be able to delay members of the public being told that their personal information may be in the hands of fraudsters and cybercriminals for over half a year?
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.