March 9th 2014
The British Pregnancy Advisory Service (BPAS) has been fined £200,000 by the Information Commissioner's Office (ICO).
The penalty follows a serious breach of the Data Protection Act, which revealed thousands of people’s details to a malicious hacker who threatened to publish their names online.
An ICO investigation found that the charity did not realise that its own website was storing the names, address, date of birth and telephone numbers. The personal and highly sensitive data was not stored securely, and a vulnerability in the website's code enabled the hacker to access the system and find the information.
The organisation obtained an injunction enabling the police to recover the information, preventing the hacker from publishing it.
Deputy Commissioner and Director of Data Protection David Smith said: “Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure." Mr Smith continued: “But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe. There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”
The BPAS had also breached the Data Protection Act in another way too … by keeping the call back details for five years longer than was necessary for its purposes.
