Abortion provider BPAS fined £200,000 for data breach

Worried woman

An abortion provider has been fined £200,000 for a data breach that revealed almost 10,000 people's details to a hacker.

The hacker threatened to publish the names of people who had contacted the British Pregnancy Advisory Service's website for advice on pregnancy issues.

The Information Commissioner's Office said the fact BPAS had not realised its site stored details was "no excuse".

BPAS said the fine was "out of proportion" and plans to appeal.

Start Quote

The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure”

End Quote David Smith Information Commissioner's Office

The Information Commissioner's Office (ICO) investigation found the charity had failed to realise its website was storing the name, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues.

The personal data was not stored securely, and a vulnerability in the website's code allowed the hacker to access the system and locate the information in March 2012.

The hacker threatened to publish the names of the individuals whose details he had accessed, but was prevented from doing so after the information was recovered by the police following an injunction obtained by BPAS.

He was subsequently given a prison term of 32 months.

David Smith, deputy commissioner and director of data protection at the ICO, said: "Data protection is critical and getting it right requires vigilance.

'Simple message'

"The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure.

"But ignorance is no excuse.

Start Quote

We accept that no hacker should have been able to steal our data but are horrified by the scale of the fine”

End Quote Ann Furedi, British Pregnancy Advisory Service

"It is especially unforgivable when the organisation is handing information as sensitive as that held by the BPAS."

Mr Smith added: "Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.

"There's a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it's subject to up-to-date and effective security measures."

Computer data The hacker was able to access BPAS data

BPAS chief executive Ann Furedi said: "We accept that no hacker should have been able to steal our data but are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do.

"BPAS is a charity which spends any proceeds on the care of women who need our help and on improving public education and knowledge on contraception, fertility and unplanned pregnancy.

"This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime."

More on This Story

The BBC is not responsible for the content of external Internet sites

More Health stories

RSS

Features & Analysis

BBC Future

(Thinkstock)

How to create a brain implant

…and how can it treat blindness? Read more...

Programmes

  • Suspension bridge connecting mountain peaksThe Travel Show Watch

    Must-see global events including walking the first suspension bridge to connect mountain peaks

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.