Millions face losing cash amid Vatican website fears
MILLIONS of donations made to the Roman Catholic Church are at risk of being stolen by cyber criminals because the Vatican has ignored warnings about the vulnerability of its website.
Concerns about the insecure operation were raised by experts after recent reports emerged suggesting the Vatican websites had been infiltrated by hackers linked to the Chinese government.
British technology company, Cybersec Innovation Partners (CIP), which has previously assisted Nato following a cyber breach, has written to Gianluca Gauzzi Broccoletti, the Pope’s head of security, telling him of the dangers but has yet to receive a reply.
A spokesman for the firm said: “We continually research and find that it is difficult for large organisations to keep track of all their web domains and sub-domains. This leads to vulnerabilities that cyber criminals are exploiting.
“The Vatican was informed of its numerous, unacceptable vulnerabilities two weeks ago but has done nothing to safeguard the security of those who want to support their religion and donate money.
“With Covid-19, and the moving of physical payments to digital-only platforms never before has it been more critical to ensure security online.”
Peter’s Pence, also known as the Alms of St Peter, is the main conduit through which Pope Francis receives donations from among the world’s 1.3 billion Catholics to pay for philanthropic works and the administration of the Vatican.
In 2019, the Vatican raised about £50million in this way, although not all contributions were made online before the coronavirus pandemic.
While the Covid-19 crisis has forced the pontiff to postpone his chief fundraising tours until October, individuals can still use the website to make suggested direct payments ranging from 10 euros to 500 euros.
The Vatican already runs a £41million deficit on its annual £220million earnings and, with Covid-19 having shut down its museums – a main source of income – thefts of donations would hit it hard.
CIP also warned the Holy See in its letter that by allowing personal information to be potentially compromised, it is also falling foul of legally binding data protection rules.
British Airways is facing a potential fine of £183million for similar data breaches and the Marriott hotel chain is heading for a £99million penalty after its systems were compromised. The minimum fine for breaching the rules is four per cent of global annual earnings.
At the heart of the issue is the lack of certification for the Vatican’s main website www.vatican.va.
Two years ago website security was tightened but the main portal has still not been updated which is why the words “not secure” appear near the address instead of a padlock to show it is safe to enter.
Most of its 84 sub-domain websites are also not protected – and this includes the Vatican’s main donation portal.
Even cyber security professionals cannot be sure that a web page is authentic and not a spoof – deliberately placed by criminal gangs to mirror a real site – when it displays a “not secure” warning rather than a trusted padlock symbol.
In May, hackers linked to the Chinese government infiltrated Vatican computer networks, including that of the Roman Catholic Church’s Hong Kong-based representative, according to a report by US firm Recorded Future.
The attacks happened ahead of talks to renew a landmark 2018 deal that stabilised relations between China and the Church.
‘Warnings have been ignored’