The Information Commissioner’s Office has fined a Christian charity £100,000 after hackers gained access to the personal data of more than 400,000 of the charity’s supporters.
The British and Foreign Bible Society, which is based in Swindon and distributes free bibles, was handed the fine after a cyber-attack on the charity in which hackers used a weakness in the charity’s network to access the personal data of 417,000 people between November and December 2016.
In some cases, supporters’ payment cards and bank account details were at risk, the ICO said.
The ICO found that an internal network that held supporters’ data was "insufficiently secured" and protected only by an "easy-to-guess" password.
A service account, which was created on the internal network in 2009, was also "configured in such a way as to provide inappropriate remote access rights to the network", the ICO said.
The hackers used a ransomware attack and, although the charity’s data was not permanently damaged or made inaccessible, some files were transferred out of the network.
The ICO therefore found that, although the charity was the victim of a criminal act, "it failed to take appropriate technical and organisational steps to protect its supporters’ personal data".
The ICO said it fined the charity because it deemed the incident to be a serious contravention of principle seven of the Data Protection Act 1998, which requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data.
The charity had taken "substantial remedial action" since the attack and had "fully cooperated" with the ICO’s investigation, the regulator said.
According to the Charity Commission’s website, the Bible Society had an income of £19.5m and spent £18.9m in the year to 31 March 2017.
In a statement, the Bible Society said the incident occurred "because of a vulnerability in a single isolated account which had been overlooked" and that no other accounts on the charity’s system were compromised.
The charity’s statement said that it had paid the fine and received a 20 per cent discount. It is not expected to appeal against the fine.
"The Bible Society has acknowledged, from the outset, the significance of the data security incident and we have taken it very seriously," the statement said.
"Following the hack, we immediately contacted any supporters whose data might have been at risk, giving support and advice on what to do next. We have also worked closely with the ICO over the last 16 months and cooperated fully with it in its enquiry.
"No supporters reported that their accounts had been breached and there is no evidence of any material effect on supporters.
"We remain vigilant regarding cyber security threats and have taken all possible steps to ensure that the risk of a future breach is minimised."
Steve Eckersley, head of enforcement at the ICO, said: "The Bible Society failed to protect a significant amount of personal data and exposed its supporters to possible financial or identity fraud.
"Cyber-attacks will happen, that’s just a fact, and we fully accept that they are criminal acts. But organisations need to have strong security measures in place to make it as difficult as possible for intruders."