Some breaches are potentially much more harmful than others. A March 2012 hack involving the British Pregnancy Advice Service (BPAS) fell into that group, and I was so concerned about the breach and the threatened data dump that on Twitter, I publicly called out members of Anonymous for sitting back and not speaking up to try to dissuade a self-proclaimed member of Anonymous from dumping such personal information.
The hacker eventually pleaded guilty and was sentenced to jail. But now I read on BBC that the BPAS has been fined £200,000 by the Information Commissioner’s Office over the breach. That’s one of the largest fines issued by the ICO to date.
In a press release about the civil monetary penalty, the ICO writes:
An ICO investigation found the charity didn’t realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues. The personal data wasn’t stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the information.
David Smith, Deputy Commissioner and Director of Data Protection, said:
“Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure.
“But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.
“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”
The investigation found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.
Update: BPAS will appeal the amount of the fine. See Jon Baines’ commentary on the fine on Information Rights and Wrongs.