The British Pregnancy Advice Service (BPAS), a charity that offers help and advice to women considering a termination of pregnancy, has been served a £200,000 penalty following the data breach that revealed almost 10,000 users’ details to a hacker.
James Jeffery, jailed for 32 months back in April 2012, defaced the BPAS website’s homepage with the logo of hacking group Anonymous, along with an anti-abortion message which read:
An unborn child does not have an opinion, a choice or any rights. Who gave you the right to murder an unborn child and profit from that murder? The product abortion is skilfully marketed and sold to the woman at a crisis time in their life. She buys the product, finds it defective and wants to return it for a refund but it is too late.
His plans to reveal patients’ identities, however, were thwarted when he was arrested on 10 March 2012, the day after BPAS reported the breach to police.
Even though patient data was not published, an investigation by the Information Commissioner’s Office (ICO) determined that the charity had failed to realise that its own website was storing the personal information of visitors who had asked for a call back for advice on pregnancy and abortion issues.
The cause of BPAS’ ignorance was the fact that, in 2007, it had used a third party IT company to develop an online appointment booking service. BPAS elected not to store user data in the CMS due to security concerns, but failed to adequately communicate this to the IT company, and the feature ended up being built in anyway.
The ICO investigation also found that the personal data was not stored securely.
Additionally, it was also found that BPAS had stored call back information for five years longer than was necessary for its purpose – a breach of the Data Protection Act.
In a case of ‘ignorantia juris non excusat’, David Smith, Deputy Commissioner and Director of Data Protection, said:
Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure.
But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.
There's a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it's subject to up-to-date and effective security measures.
BPAS, while rightfully alarmed by the breach, is apparently shocked by the size of the penalty levied against it. Chief Executive Ann Furedi said:
We accept that no hacker should have been able to steal our data but we are horrified by the scale of the fine, which does not reflect the fact that bpas was a victim of a serious crime by someone opposed to what we do... This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime... We will be appealing the verdict of the Information Commissioner’s Office.
If BPAS fails in its appeal of the verdict, it will have the opportunity to reduce the fine to £160,000 if it pays by the end of March.