Abortion provider, the British Pregnancy Advice Service (BPAS), has been fined £200,000 after security lapses enabled a hacker steal the names, addresses and phone numbers of thousands of people who had contacted the charity for advice.
The UK privacy watchdog, the Information Commissioner's Office (ICO), levied the fine after the hacker threatened to publish the names - and was only prevented from doing so by a police operation to recover the data.
But an ICO investigation found BPAS didn't realise its own website was storing the names, addresses, dates of birth and telephone numbers of people who had sought its advice, the data wasn't stored securely, and a vulnerability in BPAS website's code allowed the hacker to steal it.
In a hard-hitting judgement published on 7 March, the ICO accused the charity of ‘ignorance' and an ‘unforgiveable' data breach.
Deputy Commissioner and Director of Data Protection, David Smith, said: “The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure.
“But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.”
But a “horrified” BPAS said it is appealing against the ICO verdict. Chief executive Ann Furedi said the hacker was being “rewarded” by the scale of the fine.
BPAS said the case dates back two years to 8 March 2012 when the hacker broke into its website, defaced it with anti-abortion messages and obtained the personal details of people who had requested a call-back to discuss issues relating to pregnancy, contraception and sexual health. BPAS said it contacted the police immediately.
As a result, hacker James Jeffery, who according to The Independent newspaper, was linked with the Anonymous group, was arrested by specialist e-crimes police officers, found guilty and jailed for 32 months.
BPAS said in a 7 March statement: “These were not personal medical records of women who had undergone treatment at BPAS and such records were never at risk, but BPAS takes any data breach immensely seriously and we were appalled that any information we hold had been compromised.
“We accept that no hacker should have been able to steal our data but we are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do.”
Furedi added: “It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way.”
But security expert Adrian Culley, global technical consultant at Damballa, said the fine was the right decision.
He told SCMagazineUK.com via email: “It is 30 years since the UK first introduced a Data Protection Act requiring safeguards around the handling of personal data. Today, it is both encouraging that we have a viable Information Commissioner's Office capable of policing and enforcing these matters, but also very disappointing that some individual organisations still do not protect the personal data they hold.
“Anyone who holds personal data of third parties must assume there are hackers going to great lengths to access this information and should seek actionable intelligence on an ongoing basis to detect suspicious activity. Personal data sitting on a computer system can be just as valuable as bank notes sitting in a vault. It needs protecting just the same."
Calum MacLeod, VP of EMEA at Lieberman Software Corporation, had some sympathy for BPAS's plight. He said in a comment emailed to journalists: "The fine for the BPAS is not a surprise, and I have to feel sympathy for them. Like many registered charities, they are never going to be able to attract top IT staff, and with their limited resources, it will very often mean that they will outsource services, such as website development.
“What this shows is that great care needs to be taken when doing this type of work. If you don't have the staff that can do proper penetration testing on applications such as websites, then you are at serious risk of a breach. There are so many risk areas associated with websites, that makes professional testing essential.”
The ICO's David Smith added: “There's a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it's subject to up-to-date and effective security measures.”
The ICO investigation found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call-back details for five years longer than was necessary for its purposes.