Abortion provider BPAS fined £200,000 for data breach
An abortion provider has been fined £200,000 for a data breach that revealed almost 10,000 people's details to a hacker.
The hacker threatened to publish the names of people who had contacted the British Pregnancy Advisory Service's website for advice on pregnancy issues.
The Information Commissioner's Office said the fact BPAS had not realised its site stored details was "no excuse".
BPAS said the fine was "out of proportion" and plans to appeal.
End Quote David Smith Information Commissioner's Office
The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure”
The Information Commissioner's Office (ICO) investigation found the charity had failed to realise its website was storing the name, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues.
The personal data was not stored securely, and a vulnerability in the website's code allowed the hacker to access the system and locate the information in March 2012.
The hacker threatened to publish the names of the individuals whose details he had accessed, but was prevented from doing so after the information was recovered by the police following an injunction obtained by BPAS.
He was subsequently given a prison term of 32 months.
David Smith, deputy commissioner and director of data protection at the ICO, said: "Data protection is critical and getting it right requires vigilance.'Simple message'
"The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure.
"But ignorance is no excuse.
End Quote Ann Furedi, British Pregnancy Advisory Service
We accept that no hacker should have been able to steal our data but are horrified by the scale of the fine”
"It is especially unforgivable when the organisation is handing information as sensitive as that held by the BPAS."
Mr Smith added: "Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.
"There's a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it's subject to up-to-date and effective security measures."
BPAS chief executive Ann Furedi said: "We accept that no hacker should have been able to steal our data but are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do.
"BPAS is a charity which spends any proceeds on the care of women who need our help and on improving public education and knowledge on contraception, fertility and unplanned pregnancy.
"This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime."