ICO Fines British Abortion Charity £200k For Data Breach

The British Pregnancy Advice Service (BPAS), a charity which helps women considering abortion, has been fined £200,000 after a data breach revealed the names of 10,000 of its users to Anonymous hacker James Jeffery in March 2012.

Jeffrey, who was consequently sentenced to 32 months in jail for the attacks, threatened to publish the names and personal details of BPAS users, but was prevented from doing this following an investigation by police, who recovered the information following an injunction obtained by BPAS.

However, an investigation by the Independent Commissioner’s Office (ICO) found that the charity failed to realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues.

Vigilance

BPAS failed to store this data securely, and a vulnerability in the website’s code allowed Jones to access the system and locate the information, as well as defacing the website with the Anonymous logo. At the time of the hacks, the charity had said that no medical or personal information regarding women who received treatment had been obtained during the attack.

The investigation found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.

“Data protection is critical and getting it right requires vigilance,” said David Smith, deputy commissioner and director of data protection at the ICO in a statement. “But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.

“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”

Major fine

BPAS, which recorded a turnover of £27m last year, said it accepted that no hacker should have been able to steal its data, but that it was ‘horrified’ by the size of the fine, which it felt does not reflect the fact that it was a victim of a serious crime by someone opposed to its activities.

“BPAS is a charity which spends any proceeds on the care of women who need our help and on improving public education and knowledge on contraception, fertility and unplanned pregnancy,” BPAS chief executive Ann Furedi said. “This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime.”

How well do you know Internet security? Try our quiz!