To: Diocese of Virginia clergy and vestries
From: Lynn Ivey, Executive Director
Bob Clarke, President
Re: Additional information related to the December 2022 IT Breach
Last week, we were informed that, in addition to the $327,541 in two transfers previously discovered as mis-directed due to cyber crime, an additional $85,327 in ToTF funds, transferred in December 2022, was diverted by cyber criminals. This was not a Participant withdrawal, but a payment made to the Diocese of Virginia which was not discovered until now. The protections (listed below) that we instituted in the first quarter of this year will ensure that this type of fraudulent mis-direction of ToTF funds transfers will not happen going forward.
As we reported this spring, funds related to two Participants had been fraudulently directed to bogus bank accounts associated with criminals that gained access to ToTF emails. As soon as we learned of the crimes, we notified law enforcement and instituted numerous changes in our IT security and deposit and withdrawal procedures, including:
- Enhanced security software and monitoring of ToTF computers
- Hardware and geographic imitations on access to ToTF emails
- Ongoing scam testing on ToTF computers
- ToTF deposits and withdrawals all processed through a secure web portal maintained by our outsourced Administrator, TCG
- Multi-factor confirmation for Participant transactions, allowed only for certified Participant representatives.
Since learning of this additional incident, we have:
- Confirmed that all Participant disbursements from December 1, 2022 through March 1, 2023 were received by payees
- Reviewed all non-Participant transactions from November 15, 2022 through August 31, 2023 for suspicious email addresses and confirmed that all payments sent were received by the intended party.
- Contacted the FBI and local Sheriff’s Office.
There is no payment transaction since mid-November 2022 that has not been confirmed by the payment recipient.
This brings the total loss in December 2022 from cyber-crime to $412,867.61, which, when reduced by insurance, results in an uninsured loss of $387,867.61.
ToTF does not retain reserves, so the money to make the third parties whole came from our investment accounts, similar to the treatment of operational expenses. For accounting purposes, an “Uninsured Loss” will be noted separately in our 2022 audit report. The impact of this recently discovered fraud to each ToTF participant will be a one time reduction in performance of approximately 6 basis points, or 0.06%.
We know that this is a disturbing matter and we want to assure everyone that the staff and board are taking this very seriously. We have initiated an operations review that may result in some changes in procedures, staffing, etc. We value the trust you have put in us and will do everything possible to keep it.