The UK’s data protection watchdog has fined an abortion provider £200,000 for not securing a website that hosted data that, if exposed, could have led to its clients being harmed or killed.
The British Pregnancy Advisory Service (BPAS), the largest abortion service in the UK, will appeal what could be an expensive lesson in security for websites that handle contextually sensitive client data.
The UK Information Commissioner’s Office (ICO) on Friday announced the fine on BPAS for essentially botching a website feature that allowed people to make a request for a call back to discuss pregnancy issues.
A hacker who had used an automated website vulnerability scanner to find a security flaw in the site defaced it on March 8 2012 with an anti-abortion message and a logo of Anonymous. Shortly after he threatened to publish details he'd accessed in the breach.
The hacker never published the call back data, however the ICO believed that BPAS’ security practices nonetheless could have put some clients’ lives in danger.
“Some of the call back details were from individuals whose ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker,” the ICO said in explanatory notes to the fine.
BPAS reported the incident to police on March 9 and gained a High Court injunction on the hacker preventing him from publishing the details. On March 10 the London Met’s e-crimes unit arrested the hacker who has since been sentenced to a 32-month prison term.
The ICO found that BPAS wasn’t aware its website had retained a copy of the call back details of around 9,900 people, consisting of names, addresses, dates of birth and telephone numbers. BPAS was also unaware the website, outsourced to a contractor at the time it was hacked, contained security vulnerabilities.
“But ignorance is no excuse. It is especially unforgivable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe,” said David Smith, the ICO’s deputy commissioner and director of data protection.
BPAS breached the Data Protection Act by failing to keep personal information secure and for keeping data five years longer than was necessary for its purposes, according to the ICO, whici also noted it had never had its site tested for security flaws.
BPAS said it will appeal the fine, which it believed was disproportionately high for a victim of a crime.
“We accept that no hacker should have been able to steal our data but we are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do,” said Ann Furedi, CEO of BPAS.
“This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime.”
Far from helping its case, BPAS’ response to the attack, such as not notifying affected individuals and requesting an injunction, signified it knew the compromised information would likely cause substantial distress to victims — distress being one of the factors it can considering determining a fine.
“Fortunately, given the motivation of the attacker, an injunction was obtained by BPAS and the call back details were recovered by the police before the attacker contacted the media or otherwise sought to exploit the information for his own ends. This confirms that the contravention was of a kind likely to cause substantial distress even if it can be argued that substantial distress was not actually caused in this case.
“If the data was to be misused by those who had access to it or if it was in fact disclosed to other untrustworthy third parties then it is likely that the contravention would cause further distress and also substantial damage to the users of the website such as physical harm or even death in extremis,” the ICO said in its report.