nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
ICO smites Bible Society, well fines it £100k...

Silver badge
Joke

This story is a New Testament to poor security

50
0
Anonymous Coward

No, they shouldn't be fined!

Because not protecting their data amounts to turning the other cheek (as required by the rules), and the flock whose privates have been exposed should be forgiving the Bible Society. And the ICO, who are THEY to sit in judgement....etc etc

Today's thought is for the Bible Society, and comes from the New International Version, Psalm 19:2 "Day after day they pour forth speech; night after night they reveal knowledge"

24
0

How is this helpful?

So, because an organisation which relies on credit card donations for funding was not careful with those cardholder details, they're fining the organisation £100000. Money, which the organisation got from the cardholders. So the the cardholders are paying the fine for something which potentially injured them, and which wasn't their fault. Something feels wrong about this...

25
25
Anonymous Coward

Re: How is this helpful?

Like all fines its not just about punishing the guilty, it is also about making others sit up and listen.

Sadly the approach doesn't really work because the fine's are not based on income but generally fixed and out of date.

In this case, though I suspect it will work as few charities can afford to just soak up a £100K fine.

Having written system's for charities over the years the common theme in my experience is they are run by people who want to do good, but not necessary component to run a company, as such the Bible Societies example here rings true with my experiences elsewhere.

24
2
Silver badge
Facepalm

Re: How is this helpful?

The same is true of any organization or company... Its money had to come from somewhere, either paying customers, paying supporters or the general population (taxes for governmental departments and institutions).

Using your argument, no company should ever be fined, no matter what they do, because they are not being hurt, because their customers are paying for it...

21
3
Silver badge

Re: How is this helpful?

...So the the cardholders are paying the fine for something which potentially injured them, and which wasn't their fault....

This is the case for all commercial organisations.

Any such organisation provides services in return for money. The money either comes in from the customers, or, frequently nowadays, from taxpayers. When it is hit with a fine, that just means the customers get less value for their money.

Even if we are talking about a highly competitive multi-company environment, hitting one company with a fine will make it less competitive, and hence less of a danger to its competitors. So they can raise prices a bit more.

Fines work against individual people. They are pointless against companies, and especially pointless against government organisations.

8
1

Re: How is this helpful?

Prison sentences for the CEO and anyone working there that condoned the illegal action. It has been obvious for a long time, that fines do not work very well. It worked quite well for Iceland and its banks.

5
1
K
Silver badge

Re: How is this helpful?

If they store credit card data, they need to be PCI compliant... They should thank their lucky stars their Bank and the main Card brands (Visa etc) have not blacklisted them!

4
1

Punishing the guilty?

The organisation was fined, not the guilty individuals.

1
0

Re: How is this helpful?

There was no illegal action here, it's not an offence to be hacked.

Are you seriously suggesting that CEOs and sysadmins should be thrown in the slammer for poor management of security roles?

1
1
Anonymous Coward

Re: How is this helpful?

CEOs and directors should be held accountable where negligence can be proven, ie they were aware of security weaknesses but didn’t instigate work to fix the issue. Sysadmins should get sacked for misconduct / gross misconduct if they didn’t follow due process, implement the standards that have been defined by the organisation when requested to do so.

1
0
Bronze badge

Re: How is this helpful?

At least it averages out to a little less than 25p per person so, unfair as it is, it could have been worse.

It would be better, however, to make the top brass - or equivalent thereof - directly responsible and hit them with a fine and possibly some time in HM hostelry.

0
0
Bronze badge

Re: How is this helpful?

>This is the case for all commercial organisations.<

Commercial organisations are the same as not-for-profits? Right, I'll go tell my boss he should re-organise the company as a not-for profit. I'll tell him that "only customers and taxpayers" are affected by profits.

0
0

OK if they pro-rata the fine when its applied to big business

Bet there is an upper limit so they get off!

All these "regulations" are designed to impact small businesses more than big.

ICO reg is £40 max £2900, so % of turnover dropped for big business

Compliance is typically the same for a small business as a large one, again this impacts small business more than big business.

My calcualtions are the compliance for any small business is now over a one man-year task.

Accounting, Tax forms, Pension, GDPR, planning, H&S, I could go on.

Regulation is designed by those who go to the meetings, When could a plumber afford to go to "consultations"? British Gas, BT, Google et al can send teams!

13
7
Silver badge

Re: OK if they pro-rata the fine when its applied to big business

The fines are now 23,000,000€ or 4% of global turnover, whichever is the larger. That should be a deterant for most.

Whether this was done under the old rules or they were particularly lenient is the next question.

6
0
Silver badge
Headmaster

Re: OK if they pro-rata the fine when its applied to big business

My possibly erroneous understanding is that changes to the law cannot affect a running case in the UK at least.

The idea is that the government can't create a new law and then backdate its effect to shaft someone who has offended them,

15
0
Anonymous Coward

Re: OK if they pro-rata the fine when its applied to big business

"The idea is that the government can't create a new law and then backdate its effect to shaft someone who has offended them, [...]"

While apparently true - that doesn't stop the government declaring possession of something as illegal. Even if it has been possessed legally for many years previously.

A general exception could be the introduction of the change to the principle of "double jeopardy". That then made it possible to retry someone for an historical crime - of which they had previously been found not guilty.

3
0

Re: OK if they pro-rata the fine when its applied to big business

but HMRC can ;)

5
0
Silver badge

Re: OK if they pro-rata the fine when its applied to big business

> The idea is that the government can't create a new law and then backdate its effect to shaft someone who has offended them,

Unless, of course, they've realised that a department... say GCHQ... wasn't actually exempted from, I dunno, lets say the Computer Misuse Act and so passed an amendment and applied it retrospectively in response to that department being sued.

That's totally different, you understand...

12
0
Silver badge

Re: OK if they pro-rata the fine when its applied to big business

"Whether this was done under the old rules or they were particularly lenient is the next question."

The breach was 2016 so that'll be old rules.

3
0
Silver badge

Re: OK if they pro-rata the fine when its applied to big business

@}{amis}{

My possibly erroneous understanding is that changes to the law cannot affect a running case in the UK at least.

I think so as well. If it was under the new rules, that was a very quick process!

2
0

Re: OK if they pro-rata the fine when its applied to big business

"My calcualtions (sic) are the compliance for any small business is now over a one man-year task.

Accounting, Tax forms, Pension, GDPR, planning, H&S, I could go on."

You could go on, but please don't, because you would be talking from your fundament. Most business regulations don't apply to micro-businesses (fewer than 10 people). But either way, as a small business owner, I can absolutely confirm that your statement is not accurate, so please don't spread FUD. We have the Daily Mail for that.

7
2

Re: OK if they pro-rata the fine when its applied to big business

You are out of date, most regulation now applies to all business regardless of size. GDPR, Pensions, H&S, and of course all tax stuff. Transport regs, (e.g. taxi), Gas, electric, trade, house rental,

I have creates 10s of small businesses I DO know!

2
0
Anonymous Coward

This will be another company that goes bump and is resurrected three days later.

6
2
Anonymous Coward

Bible Bashers Get Bible Bashed

Missed a sitter there Reg.

3
0
Anonymous Coward

Re: Bible Bashers Get Bible Bashed

Oh come one, not every one can bash the err... bishop every time...

7
0

Religeous types should be brilliant at IT. Moses brought down 2 tablets from Mt Sinai, I assume they were Apples, joining up with a previous story in the book. And this Job character, obviously instigated batch-processing. Numbers, well, where would data processing be without numbers? Exodus? That's Friday lunchtimes down the pub.

17
0
Anonymous Coward

>Religeous types should be brilliant at IT. Moses brought down 2 tablets from Mt Sinai,

Pity they didn't read the commandments on those tablets

"Thou shall parse the word of the Lord properly"

6
0
Anonymous Coward

Noah was good with ddos attacks.

2
0
Silver badge

Even Jesus survived a reboot.

14
0
Bronze badge

That's because Jesus saves.

2
0

This post has been deleted by its author

We said they'd be trouble when they appointed Father Dougal Maguire as head of IT.

14
0
Silver badge
Boffin

Well everybody knows that the Believers don't get any research points for the first 20 turns and have -1 labs as a base modifier, so it's understandable if their tech lags behind the other civs.

Icon: Academician Prokhor Zakharov, "For I Have Tasted the Fruit"

10
2
Silver badge

Alpha Centuri

No that was a good game, and taught me a lot about philosophy.

4
0
Angel

Holy orders

The Lord giveth and the ICO take away

8
0
Anonymous Coward

Re: Holy orders

"The Lord giveth and the ICO take away"

Their god moves in mysterious ways. Maybe the ICO is a milder form of retribution than the proverbial bolt of lightning - or is possibly a modern type of plague.

On the other hand they will probably say it shows their god's disapproval of governments allowing same-sex marriages.

2
0
Silver badge

let off lightly

100 grand for over 400K users details

It did not specify how many of those had credit card data (or how detailed the CC data was e.g. obfuscated card (not all digits stored - e.g. just last 4), full card, encrypted (properly), no card details just tokens etc.)

But given the huge amount of time it takes (defrauded person) to resolve card fraud (& problems of getting some fraudulent transactions refunded) then its not a biblical old testament level of punishment

(SO had card physically stolen a while ago so recent experience of how much time spent on phone to bank anti fraud team is requited to get things resolved - it took quite a long time)

2
1
Anonymous Coward

ICO hatred

Why fine an organisation which is obviously not a profit making organisation such a large amount of money. Bunch of utter arsehole jobsworths who manage to do fuck all against big companies. Civil service at its worst.

8
16
Silver badge

Re: ICO hatred

Why fine an organisation which is obviously not a profit making organisation such a large amount of money.

Please tell me exactly why the personal information of the 400000+ individuals affected is worth less than 25p each.

14
2
Silver badge

Where was God?

The Lord does not let the righteous go hungry, but he thwarts the craving of the wicked. (Prov. 10:3)

Seems the inverse in this case, wonder how much the hackers got for the faithfuls details..

4
2
Bronze badge

£100,000 is a vast amount to such a small organisation, now we need to see the same level of fines against Facebook and the other megacorps !

12
0
Silver badge

Obligatory Bible quotes...

...

Nothing is covered up that will not be revealed, or hidden that will not be known.

...

Luke 12:2

11
0
Silver badge

Such a noble organisation deserves our full support in this time of need.

Sending thoughts and prayers...

13
0

initial breach ?

any truth that it was a "5 loaves and 2 phishing" attack.

2
0

>"Our investigation determined that it is likely that the religious belief of the 417,000 supporters could be inferred, and the distress this kind of breach can cause cannot be underestimated."<

It is appalling that contributors to The British and Foreign Bible Society should be outed as Christians.

4
0
Anonymous Coward

A study is to be made about any increase in anti-Christian hate crimes. Some articles have suggested it is down to the UK becoming more secular - but some examples seem to be of vicars being threatened by people whose fervent Christian belief has taken over their reason.

0
0
Silver badge

A study is to be made about any increase in anti-Christian hate crimes.

That sounds very much like designing the study to fit your (pre-determined) conclusions. Part of the reason why we need a 'journal of negative results', and study registrations to ensure results are published, to mitigate the situation where someone sponsors a study and then throws it away when it doesn't give the conclusion they want.

If we're talking about comparative studies of how religious and non-religious people behave, how about this one, which gives the opposite conclusion to that which many Christians would expect:

https://www.cell.com/current-biology/abstract/S0960-9822(15)01167-7?code=cell-site

0
0

This post has been deleted by its author

Not sure that a charity like the bible society exactly has £100k just lying around unused. It's quite hard on a small charity.

There will be more of this sort of thing. Every organisation has to be on the web; but the web is inherently insecure. Making things secure is impossible; or at least, very expensive. Charities don't have the resources to do this; so they get fined for the web being insecure by design.

I'm not sure what the answer is, but I can't help feeling something is amiss.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing