The British and Foreign Bible Society has been fined £100,000, following the 2016 cyber-attack on its network, which left hundreds of thousands of donors’ data at risk.
The charge, issued by the Information Commission’s Office (ICO), was delivered in response to the charity’s failure to secure the personal data of over 417,000 supporters when hackers entered the charity’s computer network by exploiting a weak password set by the account in 2009.
Once inside, the intruders deployed ransomware that would allow access to supporters’ home addresses, telephone numbers, and bank accounts. Information would then be encrypted and ransomed for payments from the organisation.
Though data was not permanently damaged or inaccessible, some files were transferred out of the charity’s network.
The Bible Society, which relies on card donations from its UK supporters, reported that, “the incident occurred because of a vulnerability in a single isolated account which had been overlooked” and assured no other accounts were compromised.
The ICO deemed the incident as a failure to take appropriate security measures to prevent unauthorised or unlawful processing of personal data, violating the seventh principle of the 1998 Data Protection Act.
Inferred religious beliefs of the charity’s supporters were also considered in issuing the fine, which the ICO regarded as a distressing breach that could not be underestimated.
Steve Eckersley, ICO’s head of enforcement, stated: “Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.”
As a result of the GDPR implemented on 25 May, the ICO can now take further action to change the behaviour of organisations that collect, use, and keep personal information. Financial penalties, limited to £500,000 under the 1998 act, can now reach up to £17m.
Since the attack, the Bible Society has fully cooperated with the ICO investigation. Its early payment resulted in a 20 percent discount for the charity. No appeal against the fine is expected.