The Information Commissioner's Office has not so much rained fire and brimstone down the British and Foreign Bible Society as drizzled it with a £100,000 fine - after the personal data of 417,000 supporters was put at risk due to a cyber attack.
As a result of a ransomware attack in 2016, intruders were able to exploit a weakness in the Swindon, England society's network to access personal data, potentially exposing the payment card and bank account details of some users.
The organisation, which translates and distributes the Christian Bible in the UK and around the world, relies on card donations from its UK supporters.
Those details were kept on a service account on the same network, which was configured in such a way as to provide inappropriate remote access rights to the network, and was only secured with an easy-to-guess password.
Although the society's data was not permanently damaged or rendered inaccessible by the ransomware attack, miscreants were able to transfer some files out of the network.
The ICO's head of enforcement, Steve Eckersley, said: "The Bible Society failed to protect a significant amount of personal data, and exposed its supporters to possible financial or identity fraud.
"Our investigation determined that it is likely that the religious belief of the 417,000 supporters could be inferred, and the distress this kind of breach can cause cannot be underestimated."
Echoing the sentiment of Ecclesiastes, the ICO head noted: "Cyber-attacks will happen, that’s just a fact," adding, "we fully accept that they are a criminal act.
"But organisations need to have strong security measures in place to make it as difficult as possible for intruders."
The ICO found the society failed to take appropriate technical and organisational steps to protect its supporters’ personal data. It has since taken substantial remedial action and has fully co-operated with the ICO’s investigation, it said.
The Register has asked the Bible Society for a comment. ®
Sponsored: Ransomware has gone nuclear