ICO fines charity £200,000 for data breach

The Information Commissioner’s Office (ICO) has imposed a penalty of £200,000 on the British Pregnancy Advice Service (BPAS) for exposing thousands of personal details to a malicious hacker.

The case highlights the vulnerability of websites to attacks, as well as the challenge facing charities and smaller businesses that lack resources to defend against a wide range of cyber threats.

An ICO investigation found the charity failed to realise its website was storing the name, address, date of birth and telephone number of anyone who had requested a call back for advice on pregnancy issues.

The personal data was not stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the information.
 
The hacker threatened to publish the names of the individuals whose details he had accessed, but the data was recovered by the police following an injunction obtained by the BPAS.

“Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure,” said David Smith, deputy commissioner and director of data protection.

“But ignorance is no excuse. It is especially unforgiveable when the organisation is handling information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.
 
Full Article