October 12, 2023

Information Breach Details September 2023

Scroll

What happened:

At 5:07pm on Wednesday, September 27th, 2023 an unknown scammer started to send messages to email addresses connected with Oceanside Church. The scammer posed as “Pastor Andy Arnold” asking the recipient if they were “busy at the moment?” If the recipient responded, the scammer proceeded to ask the recipient to purchase a selection of Visa Gift Cards to be emailed back. While the messages appeared to come from the church, on closer inspection they were actually unassociated gmail.com accounts.

What you need to do:

No immediate action from yourself is required as no information which could be used by itself for financial fraud was obtained. However you should expect the scammers to continue to use fake emails with the names of oceanside church leadership or office staff to email you for the purpose of buying gift cards or other means of transferring money.

Oceanside Church and its leadership team will never request such things over email or text message. Also, these emails usually start in an ambiguous manner but then lead in the direction of obtaining finances.

Please be extremely cautious of the following types of messages:

  • Asking for gift cards
  • A ambiguous message seeming urgent
  • Sending links to online donation platforms
  • Reporting giving problems or issuing refunds
  • Asking for additional private information

Tips for avoiding scams:

  • Check that the email really is from "@oceansidechurch.ca"
  • If something doesn’t feel right trust your instincts
  • Call the "sender" to confirm if you suspect the email may be fake
  • Know that these messages may pop back up in weeks, months or years.

Sadly, we are also not the only church on Vancouver Island who has been targeted in recent weeks so please be mindful. If you transferred funds to the scammer please get in touch with us.

Initial response:

At 5:13pm we were contacted by a number of individuals in our community to report the scam. At 5:35pm we were able to lock down our church management system to any outside access. And, at 5:40pm we sent out a message to anyone in our system warning of the scam. At this time we have not heard of the scam being successful.

Investigation:

That evening using the names and email addresses of those who reported to us we were able to identify that an attacker obtained some level of access into our church management system’s directory. And, working with our software vendor we identified that a phishing attack against the office had been used to obtain access into a Deacon’s account.

The phishing attack succeeded at 12:08pm on the 27th, was exposed at 5:13pm and our system was locked down in response at 5:35pm.

What data was not compromised:

At no point did the attacker gain access to passwords, giving-records, financial-information or private communication. Also Oceanside does not collect or keep any sensitive information such as: social insurance numbers, credit or debit cards, driver's license numbers or personal health numbers. While people do donate to Oceanside using financial institutions, including online giving, we do not have access to information which is used to submit donations.

What data was accessible:

The deacon’s account had access to view a list of people's names, associated email addresses and phone numbers within a window. We believe this was the scammers intended target and exploit as messages were found from the scammer trying to obtain a church email directory along with the phishing attack.

What data was searchable:

If the scammer chose to search for individual profiles within our management system, they may have been able to view addresses and dates of birth if we had them on file. We are required to keep information, like addresses, for people who have donated to the charity for tax purposes. However, we don’t believe that this searchable data was the main target of the attack, as if it had been, they would have been unlikely to reveal themselves as they did at 5:13pm.

What we have done in response:

We have carried out a security audit alongside our software vendor and taken additional steps to further restrict and limit access to any church directories. We will also continue to carry out phishing fraud prevention training for staff members.

We sincerely apologize for the data breach, the personal information that has been exposed along with the continued inconvenience caused by this scammer. Please don't hesitate to contact us if you have further questions.

- Andrew Arnold, Lead Elder at Oceanside.

No items found.
Andy Arnold
Lead Elder

Continue reading

August 15, 2023
Love Your City 2023 Recap
View project
July 18, 2023
Romans Series: God's Roadmap For Human Redemption
View project
View all posts
Ready to come to church?
VISIT US
Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
EVENTS
NewsEvents
Church
About UsWatch LiveContact UsVisit UsFAQsGive
Media
Latest SermonsWatch LiveStoriesSchool of the BibleElvanto Login
Ministries
ONE80 KidsOcean YouthConnect GroupsOutreach
SUNDAY MORNING
Nanaimo Christian School
198 Holland Road, Nanaimo BC
9:30AM to 11:15AM
church office
2304 Jingle Pot Rd
Nanaimo, BC V9R 6W2+1 (250) 740 1026info@oceansidechurch.ca
Tues - Fri
8:30AM - 4:30PM