23 March 2018
The British Pregnancy Advisory Service has received a £200,000 fine for breaching the Data Protection Act following an anti-abortion hacker gaining access to the personal details of almost 10,000 people through the charity’s website.
The Information Commissioner’s Office reported that the charity had not realised its site was collecting the names, addresses, dates of birth and telephone numbers of people asking for a call back about advice or counselling on pregnancy and sexual health issues and so failed to secure it properly. This, along with weaknesses in the website’s code, allowed a hacker to gain access to sensitive information that the ICO says was stored unnecessarily which he later threatened to publish.
The charity has said it will be appealing the decision to impose a fine.
The hacker, who defaced the charity’s website with anti-abortion messages, has since received a 32 month prison sentence according to BPAS.
This is a timely reminder for charities that hold personal data that as data controllers they must take active steps to ensure that the personal data they are responsible for is kept safe.
The charity was also found to be in breach of the Data Protection Act for keeping call-back details for five years longer than necessary.