Seven months after it found out, FamilySearch tells users their personal data has been breached

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Seven months after it found out, FamilySearch tells users their personal data has been breached

Earlier this month, genealogy website FamilySearch announced that hackers had broken into its systems and stolen personal data about its users.

The site, which is run by the Church of Jesus Christ of Latter-Day Saints (better known by some as the Mormons) and describes itself as “the world’s largest shared family tree”, informed affected users via email on 13 October 2022 about its data breach.

Famly search email

The email begins:

Dear Account Holder:

FamilySearch International, a Utah nonprofit corporation (“FSI”), detected an unauthorized network intrusion that affected personal data you previously provided. At this time, there is no indication that the data has been or is likely to be used for fraudulent or other harmful purposes. The affected data did not include users’ family tree data. We are notifying you and others worldwide whose data may have been affected, even where this is not legally required.

Yes, they’re notifying folks whose data may have been affected, “even where this is not legally required.”

That’s nice of them.

But hang on, read a little further…

“On March 23, 2022, we detected unauthorized access to certain computer systems. We immediately notified federal law enforcement authorities in the United States. We were asked to keep the incident confidential to protect the integrity of the investigation. This instruction was lifted on October 12, 2022.”

Umm.. so the hackers stole – amongst other data – users’ full names, genders, email addresses, birth dates, mailing addresses, phone numbers (all useful information that can be exploited by scammers)… but FamilySearch was asked to keep schtum about it.

But don’t worry…

The affected data did not include users’ family tree data.

So your great great great grandmother doesn’t have anything to worry about.

Sign up to our free newsletter.
Security news, advice, and tips.

FamilySearch says it cannot determine who hacked its systems, but that US law enforcement authorities suspect the intrusion was “part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals.”

So there you go, nothing to worry about…

Which is just as well, because you’ll have a hell of a time changing your name, gender, birth date etc…

But seriously, shouldn’t affected users have been told sooner? Should law enforcement agencies be able to delay members of the public being told that their personal information may be in the hands of fraudsters and cybercriminals for over half a year?

It turns out that FamilySearch users weren’t the only ones who had their data stolen. It appears the same hackers also hit the genealogy site’s owners, the Mormon Church, stealing the personal details of church members, employees, contractors, and friends. 


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

7 comments on “Seven months after it found out, FamilySearch tells users their personal data has been breached”

  1. Thomas Kelly

    Correction
    * The Church of Jesus Christ of Latter-day Saints

    1. Graham CluleyGraham Cluley · in reply to Thomas Kelly

      Thanks for the correction, I have updated the article.

  2. Simon

    Regarding your comment,
    "But don’t worry…
    The affected data did not include users’ family tree data.
    So your great great great grandmother doesn’t have anything to worry about."

    A tree can contain data (name, birth date, mother's maiden name) about people still living, like the user and their immediate family like spouse, kids, parents, uncles, cousins, etc.
    Under normal circonstances, this is hidden for living people, but it's there. It's also hard to remove as the site will log all changes to a person's record with the before after values.

  3. brorhama

    Another potential hack this week? Lots of anomalies lately.
    Commands dont work, pages not loading, error messages.
    Seems to be things arent going well atm.

    1. brorhama · in reply to brorhama

      12 hours or server error messages – I say its another DDOS

  4. Robin

    There doesn't seem to be as much data in the family tree as there used to be. I could trace one branch of my family tree back to the Normans, but that is no longer the case. Anyone any ideas?

    Thanks

  5. Mike

    Been on Family Search for over a decade, yet never received an email about a hack.

    Always receive all their other emails, tho…..hmmm…..

Leave a Reply to Thomas Kelly Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.