The data protection watchdog has fined the British Pregnancy Advice Service (BPAS) £200,000 after what the regulator termed a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.
The Information Commissioner’s Office (ICO) found the charity didn’t realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues. The personal data wasn’t stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the data. The hacker threatened to publish the names of the those whose details he had accessed, though that was prevented after the information was recovered by the police after an injunction obtained by the BPAS.
David Smith, Deputy Commissioner and Director of Data Protection, said: “Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure. But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.
“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”
The watchdog found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.
Meanwhile, the Information Commissioner Christopher Graham also signed a memorandum of understanding with the US Federal Trade Commission. The agreement will allow for closer co-operation between both organisations.
Comments
On the case, Brendan Rizzo, technical director EMEA at Voltage Security, said: “Organisations need to fully understand the responsibility that is intrinsically and automatically linked with their collection of any sensitive data. When the job of implementing an information gathering system falls to an outsourced contractor, the contractor’s goals can lean towards the immediate deliverable of getting this information from the end user to the company, without enough attention being paid to the lifecycle of how this sensitive data will be used, stored and ultimately deleted. The responsibility of making sure the data is protected remains firmly with the company collecting the data however. They are the ones that must ensure that any such systems have adherence to the Data Protection Act, and therefore the protection of the end user, in mind at every step from design to delivery and ongoing operational use.
“Companies must ensure that, if the data does need to be collected and stored, that it is protected with strong encryption. Often this is seen as a stumbling block because it has traditionally required extensive customisations to accommodate the use of this encrypted data at every step along the way. Luckily this is no longer an issue with the advent of the new Format Preserving Encryption standard which greatly simplifies the process of protecting the data throughout its entire lifecycle, and thereby mitigating the risk of privacy breaches and the associated costly fines.”
And Lancope CTO, Tim ‘TK’ Keanini, said: “First and foremost, we painfully see how the security of systems is everyone’s problem. No matter what the organisational chart reads, no matter if you are a full time employee or contractor, or where you sit in a complex supply chain, everyone in the ecosystem must be diligent and a weakness in one area in this connected world becomes everyone’s problem. I’m excited to see a fine associated with this event because it unfortunately the only way to change business behaviour. If the fine is too low, it will be cheaper to just get breached and pay the fines so the amount is an important factor. If this were not a hacktivist, it would have been likely that this organisation would not have known of the stolen data until it was identified for sale on some black market.”
Visit www.ico.org.uk
