GBP100,000 fine for UK charity whose list of supporters was hacked
The Bible Society's internal network was insufficiently secured, allowing remote access to one of its accounts through an easy-to-guess password that was the same as the username itself, said the ICO. This account was given rights to log on to the society's remote desk server, which allows access for working from home.
In November 2016, cyber-attackers exploited this weakness by using 'brute force' techniques to guess the password and penetrate the charity's security. As well as installing ransomware on the society's network, they stole the personal data of 417,000 of its contributors, including the bank card and account details of around 1,000 people. The society collects contributions from donors through their bank cards, and keeps their details unencrypted on its internal system.
The ransomware, called Dharma, encrypted a million files on the society's network, and demanded payment to release them. Fortunately the society had backed up its files the day before and was able to restore its live data from them.
'Cyber-attacks will happen, that's just a fact, and we fully accept that they are a criminal act', commented the ICO's head of enforcement Steve Eckersley. 'But organisations need to have strong security measures in place to make it as difficult as possible for intruders.'
Principle 7 of the Data Protection Act 1998 states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data. This has now been augmented by the General Data Protection Regulation, which enables the ICO to impose much higher fines on organisations that do not protect their personal data adequately.
The level of security expected is 'appropriate technical and organisational measures...having regard to the state of technological development and the cost of implementing measures...appropriate to the harm that might result [from a breach] and the nature of the data to be protected.'
The high penalty was partly because the religious belief of the society's supporters could be inferred by the attackers, causing 'substantial distress', said the ICO. The society can appeal against the size of the penalty, but if it does, it will lose any opportunity of having it reduced as a reward for its cooperation.
The content displayed here is subject to our disclaimer. Read more