Monday, June 11, 2018

U.K. Bible Society fined £100,000 for cyber hack of over 400,000 supporters

It seems as though no one is safe from the perils of modern technology; as reported by Robert Mendick of the London Daily Telegraph, June 8, 2018 (link in original):

The Bible Society has been fined £100,000 over computer security failings that allowed hackers to access the personal details of more than 400,000 mainly Christian backers.

The Information Commissioner’s Office (ICO) said the details of supporters - including home addresses, telephone numbers and bank accounts - were compromised by cyber attackers who guessed the “weak password” of one the charity’s databases.

The password was the same as the username on the account, set up in 2009 but not hacked until November 2016. The account contained details of 417,000 Bible Society supporters.

The ICO complained, in issuing the large fine, that the cyber attack caused “distress” because the “religious belief of the 417,000 supporters could be inferred”.

The fine is particularly embarrassing for the Bible Society which is one most distinguished charities in the UK. It has been operating for more than 200 years, distributing and promoting the bible in the UK and overseas while its patron is Her Majesty the Queen.

But a source close to the charity complained that the ICO had issued an arbitrarily large fine in punishment and had wrongly concluded that the Christian beliefs of its supporters was something they would wish to remain private.

But Steve Eckersley, the ICO’s head of enforcement, said: “The Bible Society failed to protect a significant amount of personal data, and exposed its supporters to possible financial or identity fraud.

“Our investigation determined that it is likely that the religious belief of the 417,000 supporters could be inferred, and the distress this kind of breach can cause cannot be underestimated.

“Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.”

According to the ICO, “one or more attackers exploited the vulnerability by using brute force” to guess the weak password. Then on December 1 2016, the attackers deployed ransomware that encrypted one million shared files held on the Bible Society’s open network. Ransomware allows hackers to hold organisations to ransom by offering to unlock the encrypted data in exchange for money.

The files included 1,020 payment card details that included card numbers and start and end dates; 27,800 bank details with sort code and account numbers; and contact details of more than 400,000 supporters.

The ransomware also had the capability of stealing files from the Bible Society computer network.

The ICO, the authority which prosecutes data breaches, concluded that the cyber attack was likely to cause “substantial damage or substantial distress” and that the hackers had likely deliberately targeted the charity in an attempt to hold it to ransom.

The Bible Society said in a statement it was the victim of a criminal ransomware attack and that “the incident occurred because of a vulnerability in a single isolated account which had been overlooked”.

It went on: “No other Bible Society account was – or could have been – compromised by the attack as robust cyber security measures were – and remain – in place across the organisation. At no point did this breach involve or affect our website (biblesociety.org.uk) or associated online Bible Society accounts.”

The society said it had “acknowledged, from the outset, the significance of the data security incident and we have taken it very seriously”.

But it also pointed out that it had not received a single report of a breach any supporters’ accounts while “there is no evidence of any material effect on supporters”.

The Bible Society has already paid the fine, receiving a 20 per cent discount for early payment. It insisted that no donations were used to pay the discounted £80,000 fine.

No comments:

Post a Comment