back to article ICO smites Bible Society, well fines it £100k...

The Information Commissioner's Office has not so much rained fire and brimstone down the British and Foreign Bible Society as drizzled it with a £100,000 fine - after the personal data of 417,000 supporters was put at risk due to a cyber attack. As a result of a ransomware attack in 2016, intruders were able to exploit a …

  1. Korev Silver badge
    Joke

    This story is a New Testament to poor security

  2. Anonymous Coward
    Anonymous Coward

    No, they shouldn't be fined!

    Because not protecting their data amounts to turning the other cheek (as required by the rules), and the flock whose privates have been exposed should be forgiving the Bible Society. And the ICO, who are THEY to sit in judgement....etc etc

    Today's thought is for the Bible Society, and comes from the New International Version, Psalm 19:2 "Day after day they pour forth speech; night after night they reveal knowledge"

  3. Richard 22

    How is this helpful?

    So, because an organisation which relies on credit card donations for funding was not careful with those cardholder details, they're fining the organisation £100000. Money, which the organisation got from the cardholders. So the the cardholders are paying the fine for something which potentially injured them, and which wasn't their fault. Something feels wrong about this...

    1. Anonymous Coward
      Anonymous Coward

      Re: How is this helpful?

      Like all fines its not just about punishing the guilty, it is also about making others sit up and listen.

      Sadly the approach doesn't really work because the fine's are not based on income but generally fixed and out of date.

      In this case, though I suspect it will work as few charities can afford to just soak up a £100K fine.

      Having written system's for charities over the years the common theme in my experience is they are run by people who want to do good, but not necessary component to run a company, as such the Bible Societies example here rings true with my experiences elsewhere.

      1. Woodnag

        Punishing the guilty?

        The organisation was fined, not the guilty individuals.

    2. big_D Silver badge
      Facepalm

      Re: How is this helpful?

      The same is true of any organization or company... Its money had to come from somewhere, either paying customers, paying supporters or the general population (taxes for governmental departments and institutions).

      Using your argument, no company should ever be fined, no matter what they do, because they are not being hurt, because their customers are paying for it...

    3. Dodgy Geezer Silver badge

      Re: How is this helpful?

      ...So the the cardholders are paying the fine for something which potentially injured them, and which wasn't their fault....

      This is the case for all commercial organisations.

      Any such organisation provides services in return for money. The money either comes in from the customers, or, frequently nowadays, from taxpayers. When it is hit with a fine, that just means the customers get less value for their money.

      Even if we are talking about a highly competitive multi-company environment, hitting one company with a fine will make it less competitive, and hence less of a danger to its competitors. So they can raise prices a bit more.

      Fines work against individual people. They are pointless against companies, and especially pointless against government organisations.

      1. ITS Retired

        Re: How is this helpful?

        Prison sentences for the CEO and anyone working there that condoned the illegal action. It has been obvious for a long time, that fines do not work very well. It worked quite well for Iceland and its banks.

        1. Joeyjoejojrshabado

          Re: How is this helpful?

          There was no illegal action here, it's not an offence to be hacked.

          Are you seriously suggesting that CEOs and sysadmins should be thrown in the slammer for poor management of security roles?

          1. Anonymous Coward
            Anonymous Coward

            Re: How is this helpful?

            CEOs and directors should be held accountable where negligence can be proven, ie they were aware of security weaknesses but didn’t instigate work to fix the issue. Sysadmins should get sacked for misconduct / gross misconduct if they didn’t follow due process, implement the standards that have been defined by the organisation when requested to do so.

      2. david 12 Silver badge

        Re: How is this helpful?

        >This is the case for all commercial organisations.<

        Commercial organisations are the same as not-for-profits? Right, I'll go tell my boss he should re-organise the company as a not-for profit. I'll tell him that "only customers and taxpayers" are affected by profits.

    4. K

      Re: How is this helpful?

      If they store credit card data, they need to be PCI compliant... They should thank their lucky stars their Bank and the main Card brands (Visa etc) have not blacklisted them!

    5. Sam Therapy

      Re: How is this helpful?

      At least it averages out to a little less than 25p per person so, unfair as it is, it could have been worse.

      It would be better, however, to make the top brass - or equivalent thereof - directly responsible and hit them with a fine and possibly some time in HM hostelry.

  4. Panicnow

    OK if they pro-rata the fine when its applied to big business

    Bet there is an upper limit so they get off!

    All these "regulations" are designed to impact small businesses more than big.

    ICO reg is £40 max £2900, so % of turnover dropped for big business

    Compliance is typically the same for a small business as a large one, again this impacts small business more than big business.

    My calcualtions are the compliance for any small business is now over a one man-year task.

    Accounting, Tax forms, Pension, GDPR, planning, H&S, I could go on.

    Regulation is designed by those who go to the meetings, When could a plumber afford to go to "consultations"? British Gas, BT, Google et al can send teams!

    1. big_D Silver badge

      Re: OK if they pro-rata the fine when its applied to big business

      The fines are now 23,000,000€ or 4% of global turnover, whichever is the larger. That should be a deterant for most.

      Whether this was done under the old rules or they were particularly lenient is the next question.

      1. }{amis}{
        Headmaster

        Re: OK if they pro-rata the fine when its applied to big business

        My possibly erroneous understanding is that changes to the law cannot affect a running case in the UK at least.

        The idea is that the government can't create a new law and then backdate its effect to shaft someone who has offended them,

        1. Anonymous Coward
          Anonymous Coward

          Re: OK if they pro-rata the fine when its applied to big business

          "The idea is that the government can't create a new law and then backdate its effect to shaft someone who has offended them, [...]"

          While apparently true - that doesn't stop the government declaring possession of something as illegal. Even if it has been possessed legally for many years previously.

          A general exception could be the introduction of the change to the principle of "double jeopardy". That then made it possible to retry someone for an historical crime - of which they had previously been found not guilty.

        2. cbars Bronze badge

          Re: OK if they pro-rata the fine when its applied to big business

          but HMRC can ;)

        3. Ben Tasker

          Re: OK if they pro-rata the fine when its applied to big business

          > The idea is that the government can't create a new law and then backdate its effect to shaft someone who has offended them,

          Unless, of course, they've realised that a department... say GCHQ... wasn't actually exempted from, I dunno, lets say the Computer Misuse Act and so passed an amendment and applied it retrospectively in response to that department being sued.

          That's totally different, you understand...

        4. big_D Silver badge

          Re: OK if they pro-rata the fine when its applied to big business

          @}{amis}{

          My possibly erroneous understanding is that changes to the law cannot affect a running case in the UK at least.

          I think so as well. If it was under the new rules, that was a very quick process!

      2. Doctor Syntax Silver badge

        Re: OK if they pro-rata the fine when its applied to big business

        "Whether this was done under the old rules or they were particularly lenient is the next question."

        The breach was 2016 so that'll be old rules.

    2. frank 3

      Re: OK if they pro-rata the fine when its applied to big business

      "My calcualtions (sic) are the compliance for any small business is now over a one man-year task.

      Accounting, Tax forms, Pension, GDPR, planning, H&S, I could go on."

      You could go on, but please don't, because you would be talking from your fundament. Most business regulations don't apply to micro-businesses (fewer than 10 people). But either way, as a small business owner, I can absolutely confirm that your statement is not accurate, so please don't spread FUD. We have the Daily Mail for that.

      1. Panicnow

        Re: OK if they pro-rata the fine when its applied to big business

        You are out of date, most regulation now applies to all business regardless of size. GDPR, Pensions, H&S, and of course all tax stuff. Transport regs, (e.g. taxi), Gas, electric, trade, house rental,

        I have creates 10s of small businesses I DO know!

  5. Anonymous Coward
    Anonymous Coward

    This will be another company that goes bump and is resurrected three days later.

  6. Anonymous Coward
    Anonymous Coward

    Bible Bashers Get Bible Bashed

    Missed a sitter there Reg.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bible Bashers Get Bible Bashed

      Oh come one, not every one can bash the err... bishop every time...

  7. Paul Herber Silver badge

    Religeous types should be brilliant at IT. Moses brought down 2 tablets from Mt Sinai, I assume they were Apples, joining up with a previous story in the book. And this Job character, obviously instigated batch-processing. Numbers, well, where would data processing be without numbers? Exodus? That's Friday lunchtimes down the pub.

    1. Anonymous Coward
      Anonymous Coward

      >Religeous types should be brilliant at IT. Moses brought down 2 tablets from Mt Sinai,

      Pity they didn't read the commandments on those tablets

      "Thou shall parse the word of the Lord properly"

    2. Anonymous Coward
      Anonymous Coward

      Noah was good with ddos attacks.

    3. Lee D Silver badge

      Even Jesus survived a reboot.

      1. Jtom

        That's because Jesus saves.

  8. This post has been deleted by its author

  9. Anonymous Coward
    Anonymous Coward

    We said they'd be trouble when they appointed Father Dougal Maguire as head of IT.

  10. ArrZarr Silver badge
    Boffin

    Well everybody knows that the Believers don't get any research points for the first 20 turns and have -1 labs as a base modifier, so it's understandable if their tech lags behind the other civs.

    Icon: Academician Prokhor Zakharov, "For I Have Tasted the Fruit"

    1. John G Imrie

      Alpha Centuri

      No that was a good game, and taught me a lot about philosophy.

  11. Floydian Slip
    Angel

    Holy orders

    The Lord giveth and the ICO take away

    1. Anonymous Coward
      Anonymous Coward

      Re: Holy orders

      "The Lord giveth and the ICO take away"

      Their god moves in mysterious ways. Maybe the ICO is a milder form of retribution than the proverbial bolt of lightning - or is possibly a modern type of plague.

      On the other hand they will probably say it shows their god's disapproval of governments allowing same-sex marriages.

  12. tiggity Silver badge

    let off lightly

    100 grand for over 400K users details

    It did not specify how many of those had credit card data (or how detailed the CC data was e.g. obfuscated card (not all digits stored - e.g. just last 4), full card, encrypted (properly), no card details just tokens etc.)

    But given the huge amount of time it takes (defrauded person) to resolve card fraud (& problems of getting some fraudulent transactions refunded) then its not a biblical old testament level of punishment

    (SO had card physically stolen a while ago so recent experience of how much time spent on phone to bank anti fraud team is requited to get things resolved - it took quite a long time)

  13. Anonymous Coward
    Anonymous Coward

    ICO hatred

    Why fine an organisation which is obviously not a profit making organisation such a large amount of money. Bunch of utter arsehole jobsworths who manage to do fuck all against big companies. Civil service at its worst.

    1. defiler

      Re: ICO hatred

      Why fine an organisation which is obviously not a profit making organisation such a large amount of money.

      Please tell me exactly why the personal information of the 400000+ individuals affected is worth less than 25p each.

  14. Gordon Pryra

    Where was God?

    The Lord does not let the righteous go hungry, but he thwarts the craving of the wicked. (Prov. 10:3)

    Seems the inverse in this case, wonder how much the hackers got for the faithfuls details..

  15. Wolfclaw

    £100,000 is a vast amount to such a small organisation, now we need to see the same level of fines against Facebook and the other megacorps !

  16. Dodgy Geezer Silver badge

    Obligatory Bible quotes...

    ...

    Nothing is covered up that will not be revealed, or hidden that will not be known.

    ...

    Luke 12:2

  17. Velv

    Such a noble organisation deserves our full support in this time of need.

    Sending thoughts and prayers...

  18. no_handle_yet

    initial breach ?

    any truth that it was a "5 loaves and 2 phishing" attack.

  19. Claverhouse Silver badge

    >"Our investigation determined that it is likely that the religious belief of the 417,000 supporters could be inferred, and the distress this kind of breach can cause cannot be underestimated."<

    It is appalling that contributors to The British and Foreign Bible Society should be outed as Christians.

    1. Anonymous Coward
      Anonymous Coward

      A study is to be made about any increase in anti-Christian hate crimes. Some articles have suggested it is down to the UK becoming more secular - but some examples seem to be of vicars being threatened by people whose fervent Christian belief has taken over their reason.

      1. Loyal Commenter Silver badge

        A study is to be made about any increase in anti-Christian hate crimes.

        That sounds very much like designing the study to fit your (pre-determined) conclusions. Part of the reason why we need a 'journal of negative results', and study registrations to ensure results are published, to mitigate the situation where someone sponsors a study and then throws it away when it doesn't give the conclusion they want.

        If we're talking about comparative studies of how religious and non-religious people behave, how about this one, which gives the opposite conclusion to that which many Christians would expect:

        https://www.cell.com/current-biology/abstract/S0960-9822(15)01167-7?code=cell-site

  20. This post has been deleted by its author

  21. Old Englishman

    Not sure that a charity like the bible society exactly has £100k just lying around unused. It's quite hard on a small charity.

    There will be more of this sort of thing. Every organisation has to be on the web; but the web is inherently insecure. Making things secure is impossible; or at least, very expensive. Charities don't have the resources to do this; so they get fined for the web being insecure by design.

    I'm not sure what the answer is, but I can't help feeling something is amiss.

    1. TheLifeofBri

      Small Charity?

      Their turnover is close to £20m and they have significant assets according to Charity Commission, so hardly a small charity.

      Fine does seem high to me, but I suspect there's often more to some of these cases than gets put in the ICO press release.

  22. ro55mo
    Facepalm

    What else would they be?

    "Our investigation determined that it is likely that the religious belief of the 417,000 supporters could be inferred"

    Ya think?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like