UK Charity Fined £100,000 for Personal Data Breach

Published on

June 28, 2018

Jun 2018 Charity & NFP Law Update

On June 7, 2018, the Information Commissioner’s Office (“ICO”) of the United Kingdom published a monetary penalty notice fining a charity, the British and Foreign Bible Society (“Bible Society”), in accordance with s. 55A of the UK’s Data Protection Act 1998 (“DPA”), after a 2016 cyber-attack compromised the Bible Society’s computer network. The Bible Society is a “data controller” under s. 1(1) of the DPA, and must comply with data protection principles regarding personal data that it controls as a data controller. The data protection principles require data controllers to ensure, among other things, that “appropriate technical and organizational measures [are] taken against unauthorized or unlawful processing of personal data…” to maintain an appropriate level of security relative to the harm that could result from a data breach and relative to the nature of the data.

In 2009, the Bible Society created a service account intended for internal use, allowing users to log on to the network remotely and access network files. However, the account username and password were identical, and protection was therefore weak. As a result, attackers were able to access the network between November 16 and December 1, 2016, by guessing the weak password and username combination. An attacker subsequently installed ransomware on the network, encrypting 1 million shared files, including files with personal data. This data included details for 1,020 payment cards, 27,800 bank accounts, and contact information for 417,000 of the Bible Society’s supporters. While this information was retrieved by the Bible Society through a backup, files were obtained by the attacker, possibly including personal data.

The ICO found that the Bible Society had failed to implement appropriate technical and organizational measures for ensuring that the personal data on its network could not be accessed or processed by an attacker in contravention of the PDA. In addition to the weak password, the ICO found that the Bible Society did not have sufficient oversight of its network and systems; did not identify possible network risks when implementing the service account for remote access; did not remove all of the shared files from the network to a secured location with limited access; and did not enable ‘on access scanning’ that would have detected the ransomware when it was first deployed instead of the next day.

Given the number of individuals whose personal data was affected, the nature of the personal data, and the potential consequences of a breach, the ICO found that the contravention was of a serious nature. Further, as the attacker accessed financial data that could expose the data subjects to identity theft or financial harm, as well as sensitive personal information that would have allowed it to infer the religious beliefs of the subjects, the ICO found that the contravention was likely to cause substantial damage or distress to the data subjects. Although the ICO also found that the Bible Society did not intentionally contravene the DPA, it found that that the inadequacies were a matter of serious oversight and that the Bible Society ought reasonably to have known of the risk of a ransomware attack, of the vulnerability of the data on an open network, that such attack would cause substantial distress to the data subjects, and that the Bible Society should have ensured that the personal data was appropriately protected. The ICO therefore fined the Bible Society £100,000 for its contravention of the DPA.

Although this case takes place in the context of UK law, it is a reminder that attacks and data breaches can happen to any organization, including charities and not-for-profits. Regardless of their status as charities or other not-for-profits, all organizations should take steps to ensure that they have appropriate physical, technical and administrative safeguards in place to protect personal information in their custody or control. This case demonstrates that charities and not-for profits can face significant financial penalties for privacy breaches, whether they are subject to and have breached a statute (such as PIPEDA or the British Columbia Personal Information Protection Act), as in the UK case, or whether they are found liable in tort as the result of a lawsuit brought against them. This case is therefore a reminder to all charities and not-for-profits of the importance of ensuring that they put in place appropriate safeguards to protect the personal data in their possession.


​Read the June 2018 Charity & NFP Law Update