Charity fined £100,000 for ‘distressing’ data breach

The British and Foreign Bible Society has been fined £100,000, following the 2016 cyber-attack on its network, which left hundreds of thousands of donors’ data at risk.

The charge, issued by the Information Commission’s Office (ICO), was delivered in response to the charity’s failure to secure the personal data of over 417,000 supporters when hackers entered the charity’s computer network by exploiting a weak password set by the account in 2009.

Once inside, the intruders deployed ransomware that would allow access to supporters’ home addresses, telephone numbers, and bank accounts. Information would then be encrypted and ransomed for payments from the organisation.

Though data was not permanently damaged or inaccessible, some files were transferred out of the charity’s network.

The Bible Society, which relies on card donations from its UK supporters, reported that, “the incident occurred because of a vulnerability in a single isolated account which had been overlooked” and assured no other accounts were compromised.

The ICO deemed the incident as a failure to take appropriate security measures to prevent unauthorised or unlawful processing of personal data, violating the seventh principle of the 1998 Data Protection Act.

Inferred religious beliefs of the charity’s supporters were also considered in issuing the fine, which the ICO regarded as a distressing breach that could not be underestimated.

Steve Eckersley, ICO’s head of enforcement, stated: “Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.”

As a result of the GDPR implemented on 25 May, the ICO can now take further action to change the behaviour of organisations that collect, use, and keep personal information. Financial penalties, limited to £500,000 under the 1998 act, can now reach up to £17m.

Since the attack, the Bible Society has fully cooperated with the ICO investigation. Its early payment resulted in a 20 percent discount for the charity. No appeal against the fine is expected.

    Share Story:

Recent Stories


Charity Times video Q&A: In conversation with Hilda Hayo, CEO of Dementia UK
Charity Times editor, Lauren Weymouth, is joined by Dementia UK CEO, Hilda Hayo to discuss why the charity receives such high workplace satisfaction results, what a positive working culture looks like and the importance of lived experience among staff. The pair talk about challenges facing the charity, the impact felt by the pandemic and how it's striving to overcome obstacles and continue to be a highly impactful organisation for anybody affected by dementia.
Charity Times Awards 2023

Mitigating risk and reducing claims
The cost-of-living crisis is impacting charities in a number of ways, including the risks they take. Endsleigh Insurance’s* senior risk management consultant Scott Crichton joins Charity Times to discuss the ramifications of prioritising certain types of risk over others, the financial implications risk can have if not managed properly, and tips for charities to help manage those risks.

* Coming soon… Howden, the new name for Endsleigh.