I couldn’t fall asleep last night. It’s not often that a data breach worries me, but what I read online had concerned me. According to a hacker calling himself @PabloEscobarSec, he had hacked the British Pregnancy Advisory Service (BPAS), and intended to leak the names of all of the women who had used the service. He claimed to be doing that to protest abortions:
British Pregnancy Advisory Service was attacked because they kill unborn children that have no rights. It’s murder.
— PabloEscobar (@PabloEscobarSec) March 8, 2012
A few of us tried to convince him otherwise, but got no response. In hindsight, he may not have responded because the police already had him in custody.
And so I stayed awake last night, worrying about the consequences if 50,000 women’s names were dumped on the Internet with the label of having had an abortion.
How many of those women had sought abortions following impregnation due to rape?
How many teenage girls had sought abortion following impregnation due to incest?
How many might be at risk of domestic abuse or violence if it became known they had had an abortion?
I felt sick inside. Embarrassment and job discrimination are serious enough consequences of a data leak, but this one had the potential for even more serious consequences.
Around 2:00 am ET, the news broke that the hacker had been arrested and was being detained. I breathed a sigh of relief – for now – and mentally blessed law enforcement for their quick action to prevent a data leak that could have horrific consequences.
But as I read the media coverage and the subsequent statements from BPAS and Scotland Yard, I realized that a data leak of supposed abortion patients was also horribly misleading. Despite what the hacker had claimed, the database was not a database of women who had obtained abortions. It also included the names of women, professionals, and even students who had simply sought information from the service on any one of a number of health-related issues, including contraception and STDs . So what we might have had are thousands of women being publicly named, shamed, and put at risk for allegedly having abortions when many or even most of them never had one.
Reputations ruined. Lives put at risk. By a young self-proclaimed “hacktivist” with self-proclaimed ties to Anonymous who doesn’t seem to have understood what data he had acquired and who didn’t demonstrate any ethical regard for what damage a leak could have done. What could a more proficient hacker have accomplished – and what difference would a court injunction make to someone who flaunts the law?
Some hacks are worse than others.
This was one of the bad ones and it could have been much worse.
But where were members of Anonymous yesterday and last night when this guy was posting his intentions? Why didn’t members of Anonymous speak up and say, “Hey, guy, that’s a really bad idea.” After all the tweets about International Women’s Day and how Anonymous loves women and we should stay strong and not take sh*t from anyone, why did Anonymous remain silent in the face of this hack? And what will it do now to promote more ethical hacktivism?
Update of March 10: James Jeffery has pleaded guilty to hacking PBAS and in court, claims he had a change of heart about posting the data online and decided it would be “wrong” to do so. He remains in custody. As of today’s update, the main Anonymous-related Twitter accounts still have not denounced the hack or the intended data dump. Their thundering silence belies their claims of concern for individuals.
What a liberal slant on what is an almost everyday occurrence in the security community. What makes this hack any worse than those that put businesses in such a financial strain that they eventually end up going out-of-business or spending millions of dollars to recuperate? The are all “horrific” for someone. Report the news – not your liberal agenda.
This is a blog, not just a news site.
Very few businesses go out of business over a hack – some of us have been looking for such examples for years and have only found a handful that were so seriously affected. As to millions of dollars to recuperate, yes, but that’s not as meaningful or significant to me as the human cost/impact. YMMV.
Do keep in mind that this blog is a spinoff of my privacy issues blog, PogoWasRight.org, and that I am primarily a privacy blogger. I am not a security professional, as I’ve said many times, and the blog post was tagged as “commentary.”
This is not a news site, and the article didn’t masquerade as such. It was commentary on how hypocritical it is for an organization that styles itself as giving voice to the voiceless to stand by and allow this to happen. Other attacks, at least on the surface, are trying to raise awareness of an issue that is believed to need it raised. This breach disclosure was squarely and solely intended to silence supporters by invoking the spectre of guilt by association. This moved from an attack on groups, organizations, and ideologies to an attack on individuals.
Would you lump medical records, prescription history, or substance abuse treatment notes in with brokerage records, video rental history, or grocery shopping purchases as far as risk of embarassment, discrimination, or harm resulting from unauthorized disclosure?
At the core, it was about how Anonymous’ rhetoric and behavior don’t agree with one another. Not surprising, when an organization claims to simultaneously be everyone and no one. It is the shift to an attack on individuals that may cause Anonymous to lose any popular support they may have had. If this person were truly associated with them, they should take a step back, analyze the behavior, and ask, “Is this good for the company?”
Thanks, Mike. I think you may have said it better than I did.
Coming from the UK, I find the notion that one would be ‘shamed’ for having an abortion pretty mediaeval. I’m sure it happens here and there are some rightwing nutjobs attacking womens rights, including abortion services, but they’re seen as fringe rightwing nutjobs by mainstream society. Yes, the Internet crosses boundaries and all those USanian antiabortionists would pile onto anyone outed like this and yes, such outing would be an appalling invasion of privacy. Yes, it’s a childish abuse of power by someone who has no manners, no empathy and no maturity. But I wanted to give you the viewpoint that to see this as automatically shameful is not the common, mainstream attitude here in Britain.
Glad to hear that, but there are a number of subcultures there where women would be shamed and in danger, perhaps, from family members who may feel that dishonor has been brought on the family, etc.
I’m against abortion, but as long as it is a legal service, the people using it should have their identities protected if they so wish. This is more a privacy issue than a political one for me.