British Pregnancy Advice Service slammed over £200K data breach fine

The information security industry has blasted the British Pregnancy Advice Service (BPAS) after it was fined 200,000 for a serious breach of the Data Protection Act.

News of the fine broke last Friday, when it was revealed that almost 10,000 people who contacted the abortion charity had their names, address and contact details exposed to a hacker.

The affected individuals were people who entered their name, address, data of birth and telephone number into the BPAS website to request a call back from one of its advisors.

This data was then stored by the website unbeknown to the charity in an unsecure way and a flaw in the website's code allowed a hacker to access the system and dig out the information.

The hacker later threatened to publish the names of people who contacted the service, an act that was later prevented by the police and an injunction obtained by the BPAS.

The individual behind the attack later received a 32 month jail sentence.

The service was fined 200,000 in total after an investigation by the Information Commissioner's Office (ICO), which confirmed the BPAS had breached the Data Protection Act twice.

The first time when the hacker got hold of the information, and for a second time by retaining the call back data for five years longer than needed.

David Smith, deputy commissioner and director of data protection at the ICO, said the BPAS could not use ignorance as an excuse in this case.

"It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe," said Smith. "There's a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it's subject to up-to-date and effective security measures."

In response, BPAS chief executive Ann Furedi said the organisation accepts hackers should not have been able to steal its data, before hitting out at the unjust size of fine it received.

"We accept that no hacker should have been able to steal our data but are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do," she said.

"BPAS is a charity which spends any proceeds on the care of women who need our help and on improving public education and knowledge on contraception, fertility and unplanned pregnancy.

"This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime," she concluded.

Since news of the data breach broke, the information security industry has roundly condemned the BPAS and its approach to data handling.

Tim Erlin, director of security and risk at vendor Tripwire, said: "They must have known they were a target and should have been more diligent about securing this data."

Brendan Rizzo, technical director for EMEA at Voltage Security, was equally damning in his response to the news.

"Companies must ensure that, if the data does need to be collected, that it is protected with strong encryption," said Rizzo.

"Often this is seen as a stumbling block because it has traditionally required extensive customisations to accommodate the use of this encrypted data at every step along the way."