The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker.
The hacker was able to access the “call-back” details of thousands of individuals, initially collected by the BPAS website via a web form from those individuals who wanted BPAS to contact them to offer advice. Although such details consisted of name, address, date of birth and telephone number, a statement on the BPAS website clearly explained that the services on offer included contraceptive advice, abortion and STI-screening. Therefore, the individuals who submitted their details for a call-back were more than likely to require advice in relation to one or more of these services provided by BPAS. It is understood that some of the call-back details were from individuals whose ethnicity and social backgrounds could have led to physical harm or even death if the information had been disclosed by the attacker.
The Information Commissioner’s Office investigation found that the charity did not realise its own website was storing the above personal details of people who asked for a call-back for advice on such issues. The personal data was not stored securely, and vulnerability in the website code allowed the hacker to access the system and locate the information.
The hacker threatened to publish the names of the individuals whose details he had accessed, although that was prevented after the information was recovered by police following an injunction obtained by BPAS.
The investigation found that as well as failing to keep the personal data secure, BPAS had also breached its obligations under the DPA by keeping the call-back details for five years longer than was necessary for its purposes.
A copy of the Monetary Penalty Notice is available here.
Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.