Submissions for the 2022 Charity Shop Survey close Friday!

Find out more and download the questionnaire here

ICO fines charity £100,000 for data protection breach

08 Jun 2018 News

The Information Commissioner’s Office (ICO) has fined the British and Foreign Bible Society £100,000 after cyber hackers gained access to more than 400,000 supporters’ personal data.

The Commissioner found that, although the Society was the victim of a criminal act, it failed to take appropriate technical and organisational steps to protect its supporters’ personal data.

Between November and December 2016, the intruders exploited a weakness in the Swindon-based charity’s network to access the personal data of 417,000 of its supporters.

The ICO said some payment card and bank account details were placed at risk for some of these supporters.

The attackers deployed ransomware, and whilst the society’s data was not permanently damaged or rendered inaccessible by the encryption, the attackers were able to transfer some files out of the network.

‘Insufficiently secured network’

The ICO said supporter details were kept on an insufficiently secured internal network.

In 2009, the charity created a service account on the same network, which was configured in such a way as to provide inappropriate remote access rights to the network and was only secured with an easy-to-guess password.

The ICO’s head of enforcement, Steve Eckersley, said: “The Bible Society failed to protect a significant amount of personal data, and exposed its supporters to possible financial or identity fraud.

“Our investigation determined that it is likely that the religious belief of the 417,000 supporters could be inferred, and the distress this kind of breach can cause cannot be underestimated.

“Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.”

The ICO considered this to be a serious contravention of Principle 7 of the Data Protection Act 1998, which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.

It said the charity, which translates and distributes the Bible in the UK and around the world, has taken substantial remedial action since it became aware of the attack and has fully co-operated with the ICO’s investigation.

For more news, interviews, opinion and analysis about charities and the voluntary sector sign up to receive the Civil Society News daily bulletin here



More on