Michigan’s Catholic workers are latest cyber victims

A Catholic agency in Lansing that handles payroll processing and employee benefits across Michigan is the state’s latest victim of a major cyber attack .

The Michigan Catholic Conference sent letters this week to more than 10,000 employees, warning them that their personal information has been compromised, officials said Friday.

The data breach follows similar breaches nationwide at a wide range of major institutions and corporations — from customers of Target and other retail chains last year, to 1.4 million owners of Fiat Chrysler vehicles in July and this month to the randy clients of the Ashley Madison website, which had promised “100% Discreet Service” to married persons seeking extramarital sex.

According to the letter sent to Catholic workers statewide, the Michigan Catholic Conference is offering employees a free year’s worth of membership in an identify-protection service, which includes $1-million insurance policies covering lost wages, fraudulent electronic transfers from bank accounts and fees to private investigators that someone victimized by fraud might need to hire.

Work sites affected included Catholic churches, schools, hospitals, orphanages, and diocesan offices in Detroit, Gaylord, Grand Rapids, Kalamazoo, Lansing, Marquette and Saginaw, officials said.

“I cannot tell you how many prayers have been said in this organization in the last two weeks about this,” said David Maluchnik, communications director for the Michigan Catholic Conference at its Lansing headquarters.

Although the headquarters’ computer safeguards, or firewalls, are sturdy and up-to-date, it’s likely that one or more hackers obtained employee names, Social Security numbers, birth dates, addresses and monthly wage amounts, Maluchnik said.

“We’ve learned a significant amount from this. We’ve taken down the system that was involved, and we’ve changed all the passwords” that had been used by Catholic employers across the state to access their employees’ data, he said.

“So that, God forbid, if something like this were to happen again, the only information that a hacker would get is a series of numbers” and not employees’ names, Maluchnik said.

The problem surfaced in late July, “when our IT staff found what they considered to be a suspicious file deep within our computer network,” he said. A consulting firm hired to investigate found no way to trace the source of the cyber attack, he added.

The Lansing-based agency is run by a board chaired by Archbishop Allen Vigneron of Detroit. Yet, neither Vigneron nor any other board member, nor any religious employee in Michigan — including more than 1,200 priests and 2,000 nuns — is affected by the data breach, Maluchnik said. Their personal data is handled by separate computer systems, he said.

The cyber attack affects about 200 employees at the Archdiocese of Detroit, spokesman Joe Kohn said.

“People always say, ‘Why me? Why us?’ But the truth is, it’s everybody — everybody is vulnerable to this,” Kohn said.

Employees of Archdiocese of Detroit received e-mails early this week about the problem, said Dug Rusin, a graphic artist with the Michigan Catholic newspaper, published in Detroit.

“We’re being told that pretty much everybody here is affected,” said Rusin, 49, of Eastpointe, one of six employees at the diocesan newspaper that claims a circulation of 27,000.

Membership in services such as ProtectMyID, offered for a year to the affected workers, is helpful but not a fail-safe guard against swindlers, said Doug Shadel, a fraud expert with the AARP in Seattle.

Referring to the Michigan cyber attack, Shadel said: “This sounds just like the breach here last year, where the archdiocese (in Seattle) had 90,000 people compromised — my wife was one of them.”

Many fraud-fighting actions that ID protection firms take are “things that you can do for yourself,” said Shadel, the state director for AARP Washington, and spokesman for AARP’s Fraud Watch Network.

Among Shadel’s tips: People should monitor their bank account balances daily, consolidate accounts so they have only a few to keep track of, and place security freezes on their credit files by calling major credit bureaus such as Experian, Equifax or TransUnion.

The last tip, for those not needing to open a new account anytime soon, “is a really strong way to inoculate yourself against fraudulent use of your accounts — and anyone can do this, at any time, not just after you’ve had data stolen,” Shadel said. The cost is $2 to $15, but it can interfere with those seeking an apartment, new job or a loan, he warned.

Consumers can view AARP’s Fraud Watch Network at www.facebook.com/fraudwatchnetwork or via www.aarp.org (enter search term “fraud watch network”).

Contact Bill Laitner: blaitner@freepress.com or 313-223-4485.