Charity fined £100,000 for failing to protect personal data from hackers.

Charity deemed at fault for not taking adequate steps to protect data from criminal hackers. When more than a dozen major charities received fines from the Information Commissioner at the end of 2016 and beginning of 2017, the regulator stated that the amount of the fines had been limited because the offenders were charities. The RSPCA was fined £25,000 but was allowed to pay a reduced amount of £20,00 for early settlement. Whilst that’s a significant amount for any organisation, a recent case has shown that even capping fines for charities does not mean that a fine of several times that amount is out of the question. And the case of the British and Foreign Bible Society’s £100,000 fine is even more startling when one considers that the charity was actually the victim of the criminal hacking of its data. Between November and December 2016, cyber hackers gained access to the personal data of some 417,000 supporters, including payment card and bank account details. The attackers deployed ransomware and, whilst the Society’s data was not permanently damaged or rendered inaccessible by the hackers, they were able to transfer files out of the network. The Information Commissioner found that, although the Society was the victim of a criminal act, it failed to take appropriate technical and organisational steps to protect its supporters’ personal data. This was in breach of Principle 7 of the Data Protection Act 1998, which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data. The Society’s network had been configured in such a way as to provide insecure remote access rights to the network and was only protected with an easy-to-guess password. The ICO’s head of enforcement, Steve Eckersley, said: “The Bible Society failed to protect a significant amount of personal data, and exposed its supporters to possible financial or identity fraud. Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.” Also of note for faith-based charities is that an aggravating factor was that the religious beliefs of the charity’s supporters could be inferred, causing additional distress - the implications being that religious beliefs, whether stated explicitly or implicitly, rendered the data more sensitive and the breach more serious.