Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Data has already been published online and listed in Have I Been Pwned, meaning downstream phishing, credential-stuffing, and social-engineering campaigns against the 2.3 million exposed accounts are an active and near-certain consequence rather than a hypothetical threat; impact is high because the breach affects a large population of identifiable individuals tied to a recognizable faith-based institution, creating compounded reputational, regulatory, and third-party harm for any affiliated organization whose members appear in the dataset.
Treatment rationale: The breach is confirmed and data is publicly circulating, so risk cannot be avoided or fully transferred at this stage; mitigation — accelerated notification, credential-reset enforcement, enhanced monitoring for downstream phishing, and regulatory engagement — directly reduces the magnitude and duration of ongoing harm.
Third-Party / Supply-Chain Risk
Any organization (churches, affiliated seminaries, partner ministries, donors, employers) whose personnel hold accounts in the Moody Bible Institute user database is exposed to second-order risk: compromised credentials and PII for their staff or constituents are now in threat-actor hands without those organizations having any direct control or advance notice, consistent with NIST SP 800-161 shared-platform and downstream-dependency exposure.
Loss Exposure (illustrative)
Magnitude: high — illustrative $2M–$15M across direct and indirect loss categories
Frequency: Single realized event already in progress; secondary-loss frequency (phishing campaigns, credential-stuffing attacks targeting affected accounts) elevated to near-certain over next 12–24 months given public data availability
Annualized: Illustrative ALE framing: primary breach costs (notification, legal, remediation, credit monitoring for 2.3M individuals) in the illustrative $2M–$10M range; secondary losses from downstream fraud and phishing enabling events could extend total illustrative exposure to $5M–$15M over a 24-month horizon — no defensible single-year ALE given uncertainty in data-field scope and regulatory outcome
Basis: Range driven by: (1) notification and remediation cost scaling to 2.3 million affected individuals, which is the primary cost driver at this population size; (2) reputational harm to a mission-driven institution with donor-dependent revenue, where trust erosion has direct financial consequence; (3) elevated secondary-loss probability because data is already public and ShinyHunters-linked breaches have historically been operationalized quickly for phishing and credential-stuffing; (4) regulatory exposure across multiple state notification regimes for a dataset of this scale; all figures are illustrative and not derived from any external benchmark report.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• PII exposure affecting 2.3 million individuals may invoke state breach-notification obligations across multiple jurisdictions — verify with counsel.
• If student records are included in the exposed dataset, potential FERPA applicability may arise — verify with counsel.
• Confirmed breach with published data may trigger cyber-insurance incident-reporting and notification-cost coverage provisions — verify with broker.
• Affiliated organizations whose member or donor data appears in the dataset may have independent contractual or regulatory notification obligations — each should verify with their own counsel.