Stormous Ransomware Claims Attack on Katholiek Amersfoort
On June 2, 2026, the ransomware group Stormous claimed responsibility for a cyberattack against Katholiek Amersfoort, a church organization based in the Netherlands and operating under the domain katholiekamersfoort.nl. According to the group's claim, the attack resulted in the exfiltration of more than 10 GB of sensitive data, including personal information belonging to members, donors, and possibly staff.
The breach is a reminder that no organization is exempt from ransomware targeting, regardless of its nonprofit or religious status. Churches, charities, and community organizations often store substantial amounts of personal data, including contact details, donation histories, and membership records, while operating with lean IT budgets and limited cybersecurity resources. That combination makes them attractive targets.
Why Non-Profit and Religious Organizations Are Vulnerable
Stormous is not a new threat actor. The group has been active for several years, frequently targeting organizations across multiple sectors and geographies. Their willingness to attack a church network in the Netherlands illustrates a broader trend: ransomware groups increasingly go after any organization holding data that can be leveraged for extortion, regardless of whether the target has significant financial resources.
For religious and community organizations, the risks are compounded by several factors. Many rely on volunteers rather than dedicated IT staff. Budget constraints mean security software, patching schedules, and encrypted backup systems are often underfunded or nonexistent. Member data, including names, addresses, phone numbers, and financial contribution records, is frequently stored in outdated databases or content management systems that haven't received security updates in years.
This isn't an isolated pattern. The hospital ransomware breach that exposed 337,917 patients at Cookeville Regional Medical Center followed a similar logic: attackers went after an institution holding sensitive personal records but not necessarily equipped with enterprise-grade defenses. Similarly, large-scale breaches like the ShinyHunters attack on Canvas that put 275 million student records at risk show that data volume, not sector prestige, drives targeting decisions.
What Data Was Likely Exposed
While the full scope of the Katholiek Amersfoort breach has not been officially confirmed by the organization, Stormous's claim of over 10 GB of exfiltrated data is significant. Church networks of this type typically hold:
- Full names and contact information for members and donors
- Donation and financial contribution records, which may include bank account details or payment method information
- Internal communications and administrative documents
- Staff or volunteer personal records, potentially including identification documents
Any of these data categories can be used in phishing campaigns, identity fraud, or sold on dark web marketplaces. Individuals who have interacted with Katholiek Amersfoort, whether as members, donors, or event participants, should treat their personal information as potentially compromised.
What This Means For You
If you are a member, donor, or contact of Katholiek Amersfoort, or of any religious or community organization that has experienced a breach, there are concrete steps you can take to reduce your exposure.
Monitor your data in breach databases. Services that index leaked credential data can alert you if your email address or password appears in a known dump. Check your email addresses against these services regularly, especially after news of a breach at any organization you have dealings with.
Change passwords linked to the affected organization. If you use the same email address and password combination for a membership portal and for other services such as email, banking, or social media, change those credentials immediately. Use a unique, strong password for every account and store them with a reputable password manager.
Watch for targeted phishing attempts. Attackers who obtain membership lists often use that data to craft convincing phishing emails. Be skeptical of any message that references your church membership, asks for payment, or requests you to verify your account details via a link.
Use encrypted communications for sensitive interactions. When communicating sensitive personal or financial information with any organization, ensure the connection is encrypted. A VPN can help secure your traffic on public or shared networks, reducing the risk that your data is intercepted in transit.
Ask organizations how they protect your data. Nonprofits and religious organizations are subject to data protection regulations in the EU, including the General Data Protection Regulation (GDPR). If you are a resident of the Netherlands or another EU country, you have the right to ask organizations what data they hold about you and to request deletion in certain circumstances. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has published guidance on data breaches caused by ransomware and can be a resource if you believe your rights have been violated.
From an organizational perspective, the Katholiek Amersfoort breach underscores the importance of encrypted, offsite backups; network segmentation to prevent lateral movement by attackers; and regular security audits even for small nonprofit operations. Zero-trust principles, where no user or system is trusted by default even inside the network perimeter, can significantly limit the damage an attacker can do after gaining initial access.
The Stormous ransomware attack on a Dutch church network may not generate the same headlines as breaches at major corporations, but the personal data of community members is just as sensitive and the harm just as real. Staying informed, monitoring your own data exposure, and pushing organizations you trust with your information to invest in basic security hygiene are the most effective tools available to ordinary people navigating this environment.
