Christian Charity fined £100,000 over security breach

Created on: 11th June 2018

The Bible Society has been fined £100,000 over computer security failings that allowed hackers to access the personal details of more than 400,000 mainly Christian backers.

The Information Commissioner’s Office (ICO) said the details of supporters - including home addresses, telephone numbers and bank accounts - were compromised by cyber attackers who guessed the “weak password” of one the charity’s databases.

The password was the same as the username on the account, set up in 2009 but not hacked until November 2016. The account contained details of 417,000 Bible Society supporters.

The ICO complained, in issuing the large fine, that the cyber attack caused “distress” because the “religious belief of the 417,000 supporters could be inferred”.

The fine is partuclurly embarrassing for the Bible Society which is one most distinguished charities in the UK. It has been operating for more than 200 years, distributing and promoting the bible in the UK and overseas while its patron is Her Majesty the Queen.

But a source close to the charity complained that the ICO had issued an arbitrarily large fine in punishment and had wrongly concluded that the Christian beliefs of its supporters was something they would wish to remain private.

But Steve Eckersley, the ICO’s head of enforcement, said: “The Bible Society failed to protect a significant amount of personal data, and exposed its supporters to possible financial or identity fraud.

“Our investigation determined that it is likely that the religious belief of the 417,000 supporters could be inferred, and the distress this kind of breach can cause cannot be underestimated.

“Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.” 

According to the ICO, “one or more attackers exploited the vulnerability by using brute force” to guess the weak password. Then on December 1 2016, the attackers deployed ransomware that encrypted one million shared files held on the Bible Society’s open network. Ransomware allows hackers to hold organisations to ransom by offering to unlock the encrypted data in exchange for money.

The files included 1,020 payment card details that included card numbers and start and end dates; 27,800 bank details with sort code and account numbers; and contact details of more than 400,000 supporters.

The ransomware also had the capability of stealing files from the Bible Society computer network.

The ICO, the authority which prosecutes data breaches,  concluded that the cyber attack was likely to cause “substantial damage or substantial distress” and that the hackers had likely deliberately targeted the charity in an attempt to hold it to ransom.

Posted by David Pilkington

Extract from 

Your Comments

There are no comments on this feature at present.

You can add your comment here