British Pregnancy Advice Service fined £200,000
- Racing Post pulls up short on IT security
- Local authorities audit report: “areas of good practice, but clear room for improvement by all”
- Repeated security failings lead to £180,000 fine for Ministry of Justice
- Birmingham banker fined for reading colleagues' bank accounts
- ICO raids call centre ‘connected to spam text operation’
Hacker threatened to publish thousands of names of people who sought advice on abortion, pregnancy and contraception
News release: 7 March 2014
The British Pregnancy Advice Service (BPAS) has been fined £200,000 after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.
An ICO investigation found the charity didn’t realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues. The personal data wasn’t stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the information.
The hacker threatened to publish the names of the individuals whose details he had accessed, though that was prevented after the information was recovered by the police following an injunction obtained by the BPAS.
David Smith, Deputy Commissioner and Director of Data Protection, said:
“Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure.
“But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.
“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”
The investigation found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.
Yesterday, the Information Commissioner Christopher Graham also signed a memorandum of understanding with the US Federal Trade Commission. The agreement will allow for closer co-operation between both organisations.
If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at: www.ico.org.uk.
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Not transferred to other countries without adequate protection