The British Pregnancy Advice Service has been fined £200,000 for failing to protect the personal information it held on thousands of people seeking advice, which a malicious hacker stole and then threatened to publish.
An ICO investigation by the Information Commissioner’s Office found the charity – which offers advice on abortion, pregnancy and contraception – did not realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice.
The personal data – on over 10,000 people – was not stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the information.
The hacker – subsequently identified as James Jeffery from Wednesbury, West Midlands – defaced the service’s website with the Anonymous logo before threatening to publish the names of the individuals whose details he had accessed.
The former software engineer was arrested days after the attack, prosecuted and ultimately sentenced to 32 months in prison back in April 2012 for the attack on BPAS and other admitted hacking offences.
ICO deputy commissioner and director of data protection David Smith said: “Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure.
“But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.
“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”
The investigation found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.