The British Pregnancy Advice Service (BPAS), a charity which helps women considering abortion, has been fined £200,000 after a data breach revealed the names of 10,000 of its users to Anonymous hacker James Jeffery in March 2012.
Jeffrey, who was consequently sentenced to 32 months in jail for the attacks, threatened to publish the names and personal details of BPAS users, but was prevented from doing this following an investigation by police, who recovered the information following an injunction obtained by BPAS.
However, an investigation by the Independent Commissioner’s Office (ICO) found that the charity failed to realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues.
BPAS failed to store this data securely, and a vulnerability in the website’s code allowed Jones to access the system and locate the information, as well as defacing the website with the Anonymous logo. At the time of the hacks, the charity had said that no medical or personal information regarding women who received treatment had been obtained during the attack.
The investigation found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.
“Data protection is critical and getting it right requires vigilance,” said David Smith, deputy commissioner and director of data protection at the ICO in a statement. “But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.
“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”
BPAS, which recorded a turnover of £27m last year, said it accepted that no hacker should have been able to steal its data, but that it was ‘horrified’ by the size of the fine, which it felt does not reflect the fact that it was a victim of a serious crime by someone opposed to its activities.
“BPAS is a charity which spends any proceeds on the care of women who need our help and on improving public education and knowledge on contraception, fertility and unplanned pregnancy,” BPAS chief executive Ann Furedi said. “This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime.”
How well do you know Internet security? Try our quiz!
US Commerce Secretary Gina Raimondo says Huawei's flagship smartphone chip 'years behind' US technology, shows…
Cloud companies, business user groups say Broadcom price changes do not address their concerns, as…
Dating app Grindr sued over claims it shared sensitive user data, including HIV status, with…
Meta Platforms opens operating system behind Quest virtual reality headsets to third parties amidst competition…
European Commission may ban rewards feature in recently launched TikTok Lite that it calls 'toxic…
US House of Representatives passes new bill combining TikTok measures with foreign aid, may face…
View Comments
This fine seems total out of proportion , yes the charity did wrong, but its a charity so that's £200,000 that will not be used for good purposes.
The charity was a victim of a criminal act - but it appears victims are being punished.
To be honest it shouldn't be the company or charity that's fined but the individuals responsible for the errors
i.e. The web developers or the management of the organisation