Bible Society hackers stole thousands of bank details
CHIEF REPORTER THE Bible Society has been fined £100,000 over computer security failings that allowed hackers to access the personal details of more than 400,000 Christian supporters.
The Information Commissioner’s Office (ICO) said the details of supporters – including addresses, phone numbers and bank details – were compromised by attackers who guessed the “weak password” of one the charity’s databases. The password was the same as the username. The account contained details of 417,000 supporters.
The ICO said that the cyber attack caused “distress” because the “religious belief of supporters could be inferred”.
The fine is particularly embarrassing for the organisation, one of the most distinguished charities in the UK.
But a source close to the charity complained that the ICO had issued an arbitrarily large fine in punishment and had wrongly concluded that the beliefs of its supporters were something they would wish to remain private. Steve Eckersley, the ICO’S head of enforcement, said: “The Bible Society failed to protect a significant amount of personal data, and exposed its supporters to possible financial or identity fraud.
“Our investigation determined that it is likely that the religious belief of the 417,000 supporters could be inferred, and the distress caused cannot be underestimated.” The ICO said “one or more attackers exploited the vulnerability by using brute force” to guess the password.
On Dec 1 2016, attackers deployed ransomware that encrypted one million files on the charity’s open network. Ransomware allows hackers to hold organisations to ransom by offering to unlock encrypted data in exchange for money. The files included 1,020 payment details such as card numbers and expiry dates; 27,800 bank details with sort code and account numbers; and contact details of more than 400,000 people. The ICO concluded that the attack was likely to cause “substantial damage or distress” and that the hackers had likely deliberately targeted the charity.
The Bible Society said that “the incident occurred because of a vulnerability in a single isolated account which had been overlooked”. It added: “No other Bible Society account was, or could have been, compromised as robust cyber security measures were, and remain, in place. At no point did this breach involve or affect our website or associated online accounts.”
The society said it had “acknowledged, from the outset, the significance of the incident and have taken it very seriously”. But it also pointed out that “there is no evidence of any material effect on supporters”.
The Bible Society has paid the fine, receiving a 20 per cent discount for early payment and insisted no donations were used.