The British Pregnancy Advice Service (BPAS), a charity which helps women considering abortion, has been fined £200,000 after a data breach revealed the names of 10,000 of its users to Anonymous hacker James Jeffery in March 2012.
Jeffrey, who was consequently sentenced to 32 months in jail for the attacks, threatened to publish the names and personal details of BPAS users, but was prevented from doing this following an investigation by police, who recovered the information following an injunction obtained by BPAS.
However, an investigation by the Independent Commissioner’s Office (ICO) found that the charity failed to realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues.
BPAS failed to store this data securely, and a vulnerability in the website’s code allowed Jones to access the system and locate the information, as well as defacing the website with the Anonymous logo. At the time of the hacks, the charity had said that no medical or personal information regarding women who received treatment had been obtained during the attack.
The investigation found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.
“Data protection is critical and getting it right requires vigilance,” said David Smith, deputy commissioner and director of data protection at the ICO in a statement. “But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.
“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”
BPAS, which recorded a turnover of £27m last year, said it accepted that no hacker should have been able to steal its data, but that it was ‘horrified’ by the size of the fine, which it felt does not reflect the fact that it was a victim of a serious crime by someone opposed to its activities.
“BPAS is a charity which spends any proceeds on the care of women who need our help and on improving public education and knowledge on contraception, fertility and unplanned pregnancy,” BPAS chief executive Ann Furedi said. “This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime.”
How well do you know Internet security? Try our quiz!
Welcome to Silicon UK: AI for Your Business Podcast. Today, we explore how AI can…
Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…
Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…
Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…
Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…
Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…
View Comments
This fine seems total out of proportion , yes the charity did wrong, but its a charity so that's £200,000 that will not be used for good purposes.
The charity was a victim of a criminal act - but it appears victims are being punished.
To be honest it shouldn't be the company or charity that's fined but the individuals responsible for the errors
i.e. The web developers or the management of the organisation