When leaks can kill: abortion provider fined £200k over hacked website

The UK’s data protection watchdog has fined an abortion provider £200,000 for not securing a website that hosted data that, if exposed, could have led to its clients being harmed or killed.

The British Pregnancy Advisory Service (BPAS), the largest abortion service in the UK, will appeal what could be an expensive lesson in security for websites that handle contextually sensitive client data.

The UK Information Commissioner’s Office (ICO) on Friday announced the fine on BPAS for essentially botching a website feature that allowed people to make a request for a call back to discuss pregnancy issues.

A hacker who had used an automated website vulnerability scanner to find a security flaw in the site defaced it on March 8 2012 with an anti-abortion message and a logo of Anonymous. Shortly after he threatened to publish details he'd accessed in the breach.

The hacker never published the call back data, however the ICO believed that BPAS’ security practices nonetheless could have put some clients’ lives in danger.

“Some of the call back details were from individuals whose ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker,” the ICO said in explanatory notes to the fine.

BPAS reported the incident to police on March 9 and gained a High Court injunction on the hacker preventing him from publishing the details. On March 10 the London Met’s e-crimes unit arrested the hacker who has since been sentenced to a 32-month prison term.

The ICO found that BPAS wasn’t aware its website had retained a copy of the call back details of around 9,900 people, consisting of names, addresses, dates of birth and telephone numbers. BPAS was also unaware the website, outsourced to a contractor at the time it was hacked, contained security vulnerabilities.

“But ignorance is no excuse. It is especially unforgivable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe,” said David Smith, the ICO’s deputy commissioner and director of data protection.

BPAS breached the Data Protection Act by failing to keep personal information secure and for keeping data five years longer than was necessary for its purposes, according to the ICO, whici also noted it had never had its site tested for security flaws.

BPAS said it will appeal the fine, which it believed was disproportionately high for a victim of a crime.

“We accept that no hacker should have been able to steal our data but we are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do,” said Ann Furedi, CEO of BPAS.

“This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime.”

Far from helping its case, BPAS’ response to the attack, such as not notifying affected individuals and requesting an injunction, signified it knew the compromised information would likely cause substantial distress to victims — distress being one of the factors it can considering determining a fine.

“Fortunately, given the motivation of the attacker, an injunction was obtained by BPAS and the call back details were recovered by the police before the attacker contacted the media or otherwise sought to exploit the information for his own ends. This confirms that the contravention was of a kind likely to cause substantial distress even if it can be argued that substantial distress was not actually caused in this case.

“If the data was to be misused by those who had access to it or if it was in fact disclosed to other untrustworthy third parties then it is likely that the contravention would cause further distress and also substantial damage to the users of the website such as physical harm or even death in extremis,” the ICO said in its report.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags British Pregnancy Advisory Service (BPAS)Information Commissioner’s Officeleaks

More about CSOICO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place