Charity fined £100,000 for ‘distressing’ data breach

The British and Foreign Bible Society has been fined £100,000, following the 2016 cyber-attack on its network, which left hundreds of thousands of donors’ data at risk.

The charge, issued by the Information Commission’s Office (ICO), was delivered in response to the charity’s failure to secure the personal data of over 417,000 supporters when hackers entered the charity’s computer network by exploiting a weak password set by the account in 2009.

Once inside, the intruders deployed ransomware that would allow access to supporters’ home addresses, telephone numbers, and bank accounts. Information would then be encrypted and ransomed for payments from the organisation.

Though data was not permanently damaged or inaccessible, some files were transferred out of the charity’s network.

The Bible Society, which relies on card donations from its UK supporters, reported that, “the incident occurred because of a vulnerability in a single isolated account which had been overlooked” and assured no other accounts were compromised.

The ICO deemed the incident as a failure to take appropriate security measures to prevent unauthorised or unlawful processing of personal data, violating the seventh principle of the 1998 Data Protection Act.

Inferred religious beliefs of the charity’s supporters were also considered in issuing the fine, which the ICO regarded as a distressing breach that could not be underestimated.

Steve Eckersley, ICO’s head of enforcement, stated: “Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.”

As a result of the GDPR implemented on 25 May, the ICO can now take further action to change the behaviour of organisations that collect, use, and keep personal information. Financial penalties, limited to £500,000 under the 1998 act, can now reach up to £17m.

Since the attack, the Bible Society has fully cooperated with the ICO investigation. Its early payment resulted in a 20 percent discount for the charity. No appeal against the fine is expected.

    Share Story:

Recent Stories

How to elevate your non-profit storytelling with data and performance metrics.
Sage Intacct the non-profit financial management platform, takes a look at giving trends and insights.

The importance of the ‘S’ in ‘ESG’
In this episode, Lauren Weymouth is joined by Ketan Patel, equities fund manager at EdenTree, to delve into the issue of social investment and why that all-important ‘S’ in ESG is more relevant now than ever before. The social element of ESG often gets forgotten when thinking about investing in more ethical and sustainable ways. But, after a challenging year for all areas of society, social injustice has been highlighted, and there’s a much greater need for charities to put people at the heart of their investment decisions.

What does the future of civil society look like post-pandemic?
In this episode of the Charity Times Leadership Podcast, Lauren Weymouth chats to Dame Julia Unwin, the chair of the Inquiry into the Future of Civil Society about what the future has in store for the charity sector. When it launched in 2018, the inquiry found issues around power, trust and connection within the charity sector. But do these issues still remain? And how has Covid accelerated the pace of change that was required?