British Pregnancy Advice Service FinedHacker Gained Access to Personal Info on Website
The UK Information Commissioner's Office has fined the British Pregnancy Advice Service Â£200,000 after a hacker gained access to personal details for about 10,000 of its clients. The charity provides reproductive support services for women.
The ICO says its investigation found that the charity didn't realize its website was storing names, addresses, dates of birth and telephone numbers of people who asked for a call back for advice on pregnancy issues.
A hacker was able to access the information on the website because of a vulnerability in the website's code and because the personal data wasn't stored securely, the ICO says.
The ICO also found that charity failed to comply with the Data Protection Act by keeping the call-back details for five years longer than was necessary.
"The British Pregnancy Advice Service didn't realize their website was storing this information, didn't realize how long it was being retained and didn't realize the website wasn't being kept sufficiently secure," says David Smith, the ICO's deputy commissioner and director of data protection.
"But ignorance is no excuse," he says. "It is especially unforgivable when the organization is handling information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."
The charity reported the website breach to the police on March 9, 2012, and the hacker in the case was arrested one day later, according to the monetary penalty notice.
The hacker targeted the website because of his opposition to abortion, the ICO says. When he gained access to the website's information, the attacker publicly expressed his intention to publish the names of the individuals whose call-back details were held on the site. Police were able to recover the information from the attacker before it was published, the ICO says.