The British Pregnancy Advisory Service is planning to appeal a fine of £200,000 issued by the data security regulator after an anti-abortion hacker gained access to thousands of client names, addresses and phone numbers and threatened to publish them.
The Information Commissioner’s Office has today announced the fine following what it called a “serious breach of the Data Protection Act”. The charity had not realised that it was storing the names, addresses, dates of birth and phone numbers of people who had contacted it for a call back on pregnancy issues on its website. No medical records, however, were at risk of being hacked.
In 2012 a malicious hacker gained access to this personal data of ‘thousands’ of BPAS clients, and threatened to publish them. The hacker was an anti-abortion activist who also defaced the charity’s website. The charity contacted police immediately and secured a High Court injunction against the hacker publishing the confidential details. Police were able to retrieved the data from the hacker who was later sentenced to 32 months in prison.
BPAS chief executive Ann Furedi said that the charity was appalled by the size of the fine which she argued effectively "reward" the extremist's actions. The charity itself turned over just over £27m in the last year on record.
“We accept that no hacker should have been able to steal our data but we are horrified by the scale of the fine, which does not reflect the fact that bpas was a victim of a serious crime by someone opposed to what we do. bpas is a charity which spends any proceeds on the care of women who need our help and on improving public education and knowledge on contraception, fertility and unplanned pregnancy,” she said.
“This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime. It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way. We will be appealing the verdict of the Information Commissioner’s Office.”
The ICO also criticised the charity for keeping information on individuals for five years more than it needed to.
ICO Deputy Commissioner and director of data protection David Smith described the practices of the charity as “unforgiveable”.
“Data protection is critical and getting it right requires vigilance. The British Pregnancy Advisory Service did not realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure,” he said.
“But ignorance is no excuse. It is especially unforgiveable when the organisation is handling information as sensitive as that held by BPAS.”