Organization pays out £100k after ransomware stole personal information
UK charity Bible Society has been hit with a £100,000 fine for a data breach that allowed hackers to access the personal details of 417,000 supporters.
The organization, which distributes bibles across Britain, was subjected to a hack when opportunistic attackers guessed an account password.
In 2009, an admin account was added to the society's internal network, allowing employees the rights to log on to the main system and access network files.
Later, this was extended to allow home working, and users were allowed to log on to the remote desk server.
Critically, though, the password for the service account was the same as the account user name, making it eminently guessable.
And in 2016, that's exactly what hackers did, deploying ransomware that encrypted around a million shared files.
The data included more than a thousand payment card details and 27,800 bank sort codes and account numbers.
“The Bible Society failed to protect a significant amount of personal data, and exposed its supporters to possible financial or identity fraud,” says Steve Eckersley, head of enforcement at the Information Commissioner’s Office (ICO).
“Our investigation determined that it is likely that the religious beliefs of the 417,000 supporters could be inferred, and the distress this kind of breach can cause cannot be underestimated.”
However, in one way, the charity was lucky – because it had backed up data only the day before, the information couldn't be held to ransom as the attackers had hoped.
When it discovered the breach, the society was quick to alert its supporters, a spokesperson tells The Daily Swig. All those who might have been affected were contacted immediately, and there don't appear to have been any ill-effects.
“No supporters reported that their accounts had been breached and there is no evidence of any material effect on supporters,” the Bible Society explained in a statement.
“Indeed, the Commissioner herself has stated that, ‘No adverse consequences or abuse of supporter data were found’.”
Charities under GDPR
The decision will concern other charities – particularly as the General Data Protection Regulation (GDPR) has since come into force, bringing tighter restrictions on the use of personal data and potentially sky-high fines.
“The rights of data subjects have been heightened under GDPR and small charities need to ensure that they are putting in place appropriate measures to protect personal data and keep their networks informed about how their information is processed,” Martin George, compliance manager at the Foundation for Social Improvement (FSI), told The Daily Swig.
Charities should, he says, “ensure that they are clear and up front with how they process and protect personal data, adhering to the ICO’s guidelines on GDPR and Institute of Fundraising advice”.