The Bible Society's Data Breach: What Can We Learn?
Following a cyber-attack on the British and Foreign Bible Society which led to a data breach by the charity in 2016, the ICO has recently fined the Society £100,000 for failing to take "appropriate technical and organisational steps" to protect its supporters’ personal data. In particular, the ICO criticised the Society for failing to put strong enough security measures in place to protect the accounts it held concerning its donors, exposing them to the risk of financial and identity fraud.
The Bible Society is a Christian charity which aims to make the Bible available around the world, and does so by translating, distributing and promoting the Bible in the UK and abroad. This attack appears to have been made possible by vulnerabilities in the Society's network, including its weak password, which the attackers exploited in order to access the data of over 400,000 donors to the charity including names, addresses and payment card details. The attackers then used ransomware to encrypt the data and effectively hold the Society to ransom, offering to unlock the encrypted data for a fee.
How did the ICO respond?
The ICO appears to have taken a strong stance in this instance to emphasise the point that even where organisations are innocent victims of a cyber-attack, they are fully responsible for any data breaches that occur as a result of their failure to put sufficient protective measures in place. Steve Eckersley, the ICO's head of enforcement, said that due to the reality that cyber-attacks happen, organisations must make it "as difficult as possible for intruders".
In considering the seriousness of the data breach, the ICO emphasised the fact that supporters' religious beliefs could be inferred from the personal data in question, as this made the breach likely to cause “substantial damage or substantial distress", the extent of which "cannot be underestimated".
Following the breach, the Society immediately contacted any supporters whose data might have been put at risk to offer them advice and support. It co-operated fully with the ICO's investigation and paid the full fine straight away, which entitled it to a 20% discount on the fine. It has stated that it will not use any funds donated by supporters to pay this.
Because the attack took place in 2016, before the new GDPR and 2018 Data Protection Act came into effect, this case has been dealt with under the old data protection rules. In this case, the Society's failure to take steps to protect its supporters' data was a breach of Principle 7 of the Data Protection Act 1998.
Under the new data protection legislation which came into force in May this year, the penalties for a breach include higher fines as well as compensation for individuals affected. The GDPR also requires more proactive reporting of any data breaches and additional responsibilities for data controllers to document their policies and procedures, with tougher requirements for processing special categories of data, including information about religious beliefs.
What can we learn going forward?
The key lessons we can learn from these events are:
- Even where it is a victim of a criminal cyber-attack, an organisation can itself commit an offence simply by using systems which leave themselves vulnerable to such data breaches. Organisations must therefore prepare for the possibility that they may become the victim of such an attack.
- This fine is considerably larger than the fines previously imposed on charities by the ICO. Of the thirteen charities fined in 2016-17, the largest was the £25,000 fine issued to the RSPCA and the rest were all less than £20,000. At £100,000, this latest fine indicates the start of a much tougher approach towards charities by the ICO going forward.
- It is important to act quickly and proactively following a data breach. Charities need clear processes to be able to identify and respond to a breach, and in particular should contact anyone whose data may be affected and find out the impact this has had on them. Taking such action may mitigate the impact of the breach, which may in turn alleviate the penalty imposed by the ICO.
- Charities are not exempt from requirements to document their data protection policies and procedures, all of which are likely to be required by the ICO in any future investigation.