|A hacker threatened to post the names and call back details of everyone who had submitted their contact details to the BPAS website.
|08 March 2012.
|The BPAS website was originally developed in 2007 and was to include an online ‘appointment booking service’. This was then scrapped due to security concerns, and BPAS mistakenly assumed that no call back data would be retained on the CMS. In 2008 another IT company was asked to host the website, but as BPAS was unaware that it was processing the call back data they did not ensure that administrative passwords were stored securely. BPAS also failed to carry out appropriate security testing so continued to remain ignorant of the website’s vulnerabilities. These vulnerabilities enabled an attacker to access the CMS and deface the website, threatening to publish the names of those whose call back details were held on the website. Fortunately, these were not published as the attacker was arrested the following day and the information was recovered following an injunction.
|Monetary penalty of £200,000.
|07 March 2014.
Why the regulator acted
|Breach of act
|Breach of the Seventh Data Protection Principle: BPAS failed to take appropriate measures against the unauthorised processing of personal data as they didn’t delineate specific parameters to ensure the website did not store personal data, nor set up appropriate security measures.
|Known or should have known
|Likely to cause damage or distress
|View PDF of the British Pregnancy Advice Service Monetary Penalty Notice (Breach Watch Archive)
|View PDF of the British Pregnancy Advice Service Monetary Penalty Notice (Via ICO Website)