The british and Foreign book Society, based in Swindon, has been fined �100,000 by the information Commissioners Office, after their computer network was compromised as the result of a cyber-attack in 2016.
Between November and December 2016, the intruders exploited a failing in the Societys network to access the personal data of 417,000 of the Societys supporters. For a subset of these supporters some payment card and bank account details were placed at risk.
The Society, which translates and distributes the scripture in the UK and around the world, relies on card donations from its UK supporters.
Supporter details were kept on an insufficiently secured internal network, and in 2009 the company created a service account on the same network.
This account, which was configured in such a way as to provide inappropriate remote access rights to the network, was only secured with an easy-to-guess password.
The attackers deployed ransomware, and whilst the societys data was not permanently damaged or rendered inaccessible by the encryption, the attackers were able to transpose some files out of the network
The ICOs chief of Enforcement, Steve Eckersley, said:
The Bible company failed to protect a significant amount of personal data, and exposed its supporters to possible financial or indistinguishability fraud.
Our investigation determined that it is likely that the religious belief of the 417,000 supporters could be inferred, and the suffering this kind of cut canful cause cannot live underestimated.
Cyber-attacks will happen, thats just a fact, and we fully admit that they are a criminal act. But organisations demand to have strong surety measures in localize to wee-wee it as difficult as possible for intruders.
The Commissioner found that, although the Society was the victim of a criminal act, it failed to submit appropriate technical and organisational steps to protect its supporters personal data.
The ICO considered this to be a serious contravention of rule 7 of the data tribute routine 1998, which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.