April 30, 2025

Improving Cybersecurity: Blocking Unauthorized Access to Your Systems

Episcopal Church Foundation

On January 25, 2025, the Episcopal Church Foundation (ECF) faced an attempted cyberattack on our networks. Fortunately, the attack was unsuccessful. We want to raise awareness about this potential threat and provide preventive measures that may be implemented within the church. As part of our commitment to support and strengthen Episcopal faith communities and to serve the Episcopal Church with transparency, we are sharing this experience.

Cyberattacks are on the rise. Churches and other religious organizations are at increasing risk from cybersecurity threats, such as data breaches, ransomware attacks, and other cyber incidents.

Organizations must have strong foundational guardrails to prevent unauthorized access. It is also essential to educate staff and volunteers about the risks of cyberattacks. The way employees, clients, and other users log in and access systems serves as the critical first line of defense in safeguarding assets.

What happened

On January 25, 2025, ECF experienced a brute force cyberattack where a bad actor attempted to use ECF email accounts and associated passwords to access our systems from more than 400 different IP addresses. A few days before, on January 21, 2025, the Right Rev. Mariann Edgar Budde, Bishop of the Diocese of Washington, D.C., and the Washington National Cathedral, delivered her sermon at the National Cathedral prayer service for the inauguration of President Donald Trump. Following this event, many Episcopal organizations, including ECF, reported receiving harassing phone calls and emails.

The brute force cyberattack was unsuccessful due to proactive measures we had implemented to fortify our systems. This included enabling multifactor authentication (MFA) and disabling legacy authentication. After this incident was discovered, we promptly informed law enforcement to assist with any investigation into similar incidents.

Discovering and preventing the attempted cyberattack

We discovered the attempted brute force cyberattack on ECF systems that occurred on January 25th while investigating an unrelated cyber incident at a third-party IT vendor responsible for managing certain ECF systems.

During our investigation of the January 25th incident, we found that the brute force attack was successfully thwarted due to our earlier implementation of multifactor authentication (MFA) and the disabling of legacy authentication. Legacy authentication allows users to access a system using only a username and password, and it is typically retained for a limited time to facilitate the transition to MFA.

Today, many organizations transitioning to an MFA process often overlook disabling legacy authentication. Neglecting to do so leaves organizations vulnerable to cyber incidents since it permits access to a system with just a single password, which undermines the effectiveness of MFA.

Why we are sharing this with you

As part of our mission to support and strengthen churches, parishes, dioceses, and other Episcopal organizations, we provide innovative resources and ideas for implementation. We are dedicated to serving The Episcopal Church with understanding and openness while focusing on the future. This includes preparing our community for a present and future in which cybersecurity threats are increasingly common.

Recognizing the potential vulnerability others may face, we wanted to alert our community about the brute force cyberattack we experienced on January 25th and share preventive measures. As a result of our alert, two churches and an Episcopal nonprofit are currently assessing their systems using the information we provided.

FAQs

What is a brute force attack?

A brute force attack is a cyber intrusion technique where attackers (or programs they write) systematically guess login credentials, encryption keys, or other methods of accessing sensitive information through trial and error. This method involves testing numerous combinations until the correct one is found, often utilizing automated tools to expedite the process.

Was any ECF data affected in this brute force attack?

No ECF data or systems were affected in the attempted cyberattack on January 25th.

How can we prevent this type of attack on our organization?

While it is impossible to completely prevent brute force attacks, certain precautions can help reduce the risk. These precautions include using strong passwords and implementing multi-factor authentication (MFA), disabling any legacy authentication process, and monitoring networks carefully.

What is a legacy authentication process? How is this different from a multi-factor authentication process?

Legacy authentication is a practice that allows users to temporarily access a system with just a username and password while an organization is transitioning to multi-factor authentication (MFA).

What types of organizations or companies are targets of brute force attacks?

Unfortunately, all types of organizations and companies are now targets of cyberattacks. In today’s digital age, hackers and other malicious actors continually find new ways to access sensitive information and disrupt operations. Common targets include religious organizations, financial institutions, and healthcare providers—entities that handle personal information and sensitive financial data.

What was the other unrelated cyber incident you were investigating?

On February 19, we learned that a third-party IT vendor responsible for managing certain of our IT systems experienced a cybersecurity incident that affected portions of our internal network. We severed our connection with the vendor and are investigating the incident, which is unrelated to the attempted brute force cyberattack on January 25.

Cybersecurity Related Topics:

Cybersecurity: Protect Your Episcopal Institution – Church Pension Group
Resources for Faith-Based Communities – Cybersecurity and Infrastructure Agency
Resource Guide for Faith-Based Communities – Department of Homeland Security
Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society – Cybersecurity and Infrastructure Agency
Cybersecurity Must-Haves for Churches – Enabling Ministry

Subscribe RSS Feed

Find More Posts

Topics
Administration Advocacy Buildings and Grounds Capital Campaigns Change Christian Formation Clergy Transition Communications Conflict Creation Care Discernment Discipleship Diversity Endowments Episcopal Pulse Evangelism Finance Gathering of Leaders Hospitality Leadership Mission Outreach Pastoral Care Planned Giving Prayer & Reflection Racial Justice Small Churches Stewardship Vestry Vision & Planning Volunteers/Volunteering Worship Youth & Young Adults
Authors
Alan Bentrup Anna Olson Annette Buchanan Cathy Hornberger Greg Syler Ken Howard Ken Mosesian Linda Buskirk Lisa G. Fischbeck Richelle Thompson Sandra Montes Sandy Webb
Archive
June 2026 May 2026 April 2026 March 2026 February 2026 January 2026 December 2025 November 2025 October 2025 September 2025 August 2025 July 2025