The largest fine against a charity by the data protection regulator, the ICO, was for £200,000 against the British Pregnancy Advisory Service (BPAS), in 2014. At the charity fraud conference by the Fraud Advisory Panel and the charity sector regulator the Charity Commission, in London on Friday, October 28, BPAS told its side of the story.
The hacker was arrested inside 24 hours, but not before he had threatened to expose (for anti-abortion reasons) the names of thousands of people who had contacted BPAS through a ‘call back’ part of its website, to get advice. Chris Plummer, director of strategy at BPAS, said that the hacker had left the hacking tool on the server; and the data was recovered before it had been distributed. The charity came under denial of service and copycat attacks as a result of the publicity; and still gets cyber-attacked, he told the event.
The hacker was jailed for 32 months in 2012.
Chris Plummer said that ‘the ICO came calling’: “No-one from the ICO actually came to the BPAS at any stage.” There were no meetings and ‘we weren’t even made aware that we rather than the incident was part of the investigation.” All communication by the ICO was by email. The BPAS website was years old and staff that had done the website had since left the charity; BPAS sacked the IT contractor and after the hack the website was hosted with a new contractor. BPAS however could not prove that it had specified to the original IT system developer that no personal data was to be retained on the site. As Chris Plummer stressed, having such documentation was key.
As the ICO pointed out when announcing the fine, and as Chris Plummer acknowledged, ignorance was no excuse (the charity did know to protect its clinical data as sensitive, but did not know that the ‘call back’ requests were on the website, and hackable). For what the ICO said about the data protection breach and the reasons for the fine (in fact reduced to £160,000) see the ICO website.
More in the December 2016 print issue of Professional Security magazine.
