The British Pregnancy Advisory Service has been fined £200,000 for breaching the Data Protection Act after an anti-abortion hacker gained access to almost 10,000 people’s personal details through its website.
The Information Commissioner’s Office said its investigation found the charity did not realise its website was storing the names, addresses, dates of birth and telephone numbers of people who asked for a call back for advice or counselling on pregnancy and sexual health issues such as contraception, abortion, vasectomy or erectile dysfunction.
A hacker was able to access the system and the information because the personal data was not stored securely and there was a weakness in the website’s code, the ICO said.
The charity said it was horrified at the size of the fine and would appeal.
The ICO’s report on its investigation, published today, says details of about 9,900 people were being stored unnecessarily and the hacker was able to gain access to all their information.
The report says the hacker threatened to publish the names of the people whose details he had accessed. He targeted the BPAS because he disagreed with abortion and identified the charity as the UK’s largest provider of abortion services, the report says.
The man was arrested on 10 March 2012, the day after the BPAS reported the attack to the police.
If the hacker had published the details of some of the people, they might have come to physical harm or even been killed because of their ethnicity and social backgrounds, the ICO report says.
The BPAS said it would be appealing the ICO’s decision to fine the charity.
Ann Furedi, chief executive of the charity, which had an income of £27m in the year to March 2013, said: "This fine seems out of proportion when compared with those levelled against other organisations that were not themselves the victims of a crime. It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way.
"We accept that no hacker should have been able to steal our data, but we are horrified by the scale of the fine, which does not reflect the fact that we were the victim of a serious crime by someone opposed to what we do."
The hacker also defaced the charity’s website with anti-abortion messages and has since received a prison term of 32 months, the BPAS said.
David Smith, deputy commissioner and director of data protection at the ICO, said: "Data protection is critical and getting it right requires vigilance. The BPAS didn’t realise its website was storing this information, how long it was being retained for and wasn’t being kept sufficiently secure.
"But ignorance is no excuse. It is especially unforgiveable when the organisation is handling information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."
The ICO investigation found that the BPAS had also breached the Data Protection Act by keeping the call-back details for five years longer than was necessary for its purposes.