British Pregnancy Advice Service Fined

Hacker Gained Access to Personal Info on Website
British Pregnancy Advice Service Fined

The UK Information Commissioner's Office has fined the British Pregnancy Advice Service £200,000 after a hacker gained access to personal details for about 10,000 of its clients. The charity provides reproductive support services for women.

See Also: Live Webinar | How to Identify & Address Risk with Attack Simulation

The ICO says its investigation found that the charity didn't realize its website was storing names, addresses, dates of birth and telephone numbers of people who asked for a call back for advice on pregnancy issues.

A hacker was able to access the information on the website because of a vulnerability in the website's code and because the personal data wasn't stored securely, the ICO says.

The ICO also found that charity failed to comply with the Data Protection Act by keeping the call-back details for five years longer than was necessary.

"The British Pregnancy Advice Service didn't realize their website was storing this information, didn't realize how long it was being retained and didn't realize the website wasn't being kept sufficiently secure," says David Smith, the ICO's deputy commissioner and director of data protection.

"But ignorance is no excuse," he says. "It is especially unforgivable when the organization is handling information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."

The charity reported the website breach to the police on March 9, 2012, and the hacker in the case was arrested one day later, according to the monetary penalty notice.

The hacker targeted the website because of his opposition to abortion, the ICO says. When he gained access to the website's information, the attacker publicly expressed his intention to publish the names of the individuals whose call-back details were held on the site. Police were able to recover the information from the attacker before it was published, the ICO says.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.