Breach details
What | A hacker threatened to post the names and call back details of everyone who had submitted their contact details to the BPAS website. |
How much | 9,900 records. |
When | 08 March 2012. |
Why | The BPAS website was originally developed in 2007 and was to include an online ‘appointment booking service’. This was then scrapped due to security concerns, and BPAS mistakenly assumed that no call back data would be retained on the CMS. In 2008 another IT company was asked to host the website, but as BPAS was unaware that it was processing the call back data they did not ensure that administrative passwords were stored securely. BPAS also failed to carry out appropriate security testing so continued to remain ignorant of the website’s vulnerabilities. These vulnerabilities enabled an attacker to access the CMS and deface the website, threatening to publish the names of those whose call back details were held on the website. Fortunately, these were not published as the attacker was arrested the following day and the information was recovered following an injunction. |
Regulatory action
Regulator | ICO | Action | Monetary penalty of £200,000. |
When | 07 March 2014. |
Why the regulator acted
Breach of act | Breach of the Seventh Data Protection Principle: BPAS failed to take appropriate measures against the unauthorised processing of personal data as they didn’t delineate specific parameters to ensure the website did not store personal data, nor set up appropriate security measures. |
Known or should have known | BPAS clearly knew that personal data of this nature needed to be held securely as they decided not to put in place their original ‘appointment booking system’ and provided promises of security in their privacy policy. They should have been able to prevent the contravention by having a detailed specification of the parameters of the CMS to either ensure that data was not stored on the website or provide adequate security for this information. |
Likely to cause damage or distress | The website’s privacy policy led users to believe that their information would remain secure and confidential, and the ability of a hacker to access this information is likely to cause substantial distress if this was known, particularly with the fear that this data could be further disseminated. If the data had been misused by the attacker or disclosed to untrustworthy third parties there is a risk that some individuals would have faced physical harm or even death given their ethnicity or social background and the nature of the advice they were seeking (including abortion and sterilisation). |
Links
View PDF of the British Pregnancy Advice Service Monetary Penalty Notice (Breach Watch Archive) |
View PDF of the British Pregnancy Advice Service Monetary Penalty Notice (Via ICO Website) |