Regulatory agencies often say they don’t want to sanction a company simply because it suffered a cybersecurity lapse. Hackers are formidable opponents, this line of thinking goes, so an organization must demonstrate some truly inattentive security practices before an agency will impose a penalty on top of the harm suffered by an attack.
Now we have an example of what that idea looks like in practice.
Thank the Information Commissioner’s Office of Britain. The ICO recently hit the British and Foreign Bible Society with a £100,000 fine for a breach that happened in 2016, where poor security settings allowed hackers to abscond with the personal data of more than 400,000 of the Bible Society’s supporters.
The chain of events here is worth close scrutiny. First, the Bible Society’s IT staff created a “service account” in 2009 to manage supporters’ data, where the user ID and password for the account were identical. That alone is bad security practice, but originally that account was not accessible off-site; you had to be in the Bible Society’s offices to use it.
“At a later date,” as the ICO’s order vaguely phrases it, the Bible Society reconfigured that service account so someone could access it remotely, so staff could manage the data while working from home.
On Dec. 1, 2016, hackers took control of the service account (because the password was so weak) and locked 1 million Bible Society records in a ransomware attack. Good news: the Bible Society backed up its records often and had done so just one day before, so the ransomware attack was no serious disruption. Bad news: the attackers also ran a second attack that let them copy the personal data of 417,000 Bible Society supporters.
The ICO couldn’t confirm exactly how much data was taken, about whom. It could only identify “unusual peaks in outbound traffic during the attack,” which suggested the loss of names, addresses, credit card data, and religious affiliations.
Data Breaches, Compliance, and Risk
If any single sentence in the ICO’s order matters to compliance officers, it’s this: “The Society did not identify the possible risks to its network when the service account was given an additional user right to log on to the RDS.”
The Bible Society changed the design of its IT systems, so its risk changed. But nobody within the organization conducted a fresh risk assessment to identify the new weakness (possible takeover of the service account) and recommend appropriate new controls (say, strengthening the password and adopting a policy to lock down the account after several failed login attempts).
We should note that in other respects, the Bible Society had strong IT controls. For example, it backed up data regularly, and therefore thwarted the ransomware attack. And the ICO couldn’t even confirm data actually was stolen; it could only surmise that data probably was stolen.
None of that mattered here. The offense was that the Bible Society failed to assess risks in a timely manner.
We’ve spoken before on this blog about “triggering events” that should lead to new risk assessments or due diligence. They apply in the anti-bribery context (a third party coming under new ownership) just as well as they do for data security (reconfiguring IT systems to handle data in new ways). The crucial point for compliance officers is to know what your triggering events are, and how to recognize them when they happen. That’s true for your third parties, as well as your own organization.
Without that awareness, without policy and resources to fulfill that duty, one shouldn’t be surprised that regulators hit you with a penalty.
As to the penalty of £100,000, we should remember that this breach happened prior to the General Data Protection Regulation that went into effect this year; the ICO had to impose a penalty until Britain’s older data protection law that allowed penalties only up to £500,000.
Now the GDPR is in effect in Britain and across Europe (and across the world, really, if you collect data on EU citizens). The GDPR allows penalties up to 4 percent of an organization’s total annual revenue. If the Bible Society’s breach happened today, that would have exposed the group to a possible penalty up to £781,000. At larger organizations, this sort of inattention could now cost millions.