Forgot your password?
typodupeerror
United Kingdom Privacy

BPAS Appeals £200,000 Fine Over Hacked Website 104

Posted by Unknown Lamer
from the check-your-databases dept.
DW100 writes "A UK charity that provides help and guidance for women seeking abortions has been fined £200,000 after a hacker breached its website in 2012 and was able to gather data on 9,900 people that had requested help from the organization. The hacker was given almost three years in jail for the attack. The charity's CEO has condemned the decision, arguing it rewards the hacker for his efforts." The data was unintentionally stored in their CMS after miscommunication with a contractor, and they never performed security audits. Martin S. writes "The BPAS is appealing a £200,000 fine imposed by the ICO after their website was hacked by an Anonymous anti-abortion extremist. The amount is particularly egregious when perpetrators of willful data theft often attract fines of only a few thousand pounds."
This discussion has been archived. No new comments can be posted.

BPAS Appeals £200,000 Fine Over Hacked Website

Comments Filter:
  • by schwit1 (797399) on Friday March 07, 2014 @04:39PM (#46430577)

    If the perpetrator was sent to jail how is this 'anonymous'?

    How do you know this wasn't a simple extortion for money scheme?

  • by ganjadude (952775) on Friday March 07, 2014 @04:40PM (#46430595) Homepage
    Well I mean there do need to be penalties for companies not storing customer data correctly, especially in the medical field. Im not versed enough on abortion cliniques to know if 200K is justified or not but they should get some sort of fine no questions
    • Re:hmmm (Score:5, Insightful)

      by Xest (935314) on Friday March 07, 2014 @04:50PM (#46430645)

      A better solution would have been to not fine the organisation but to use the clause of the data protection act that allows individuals to be held responsible and fine the contractor for being so negligent as to store personal data insecurely and anyone at the organisation who allowed it.

      • by jythie (914043)
        That was my thought too. This is not exactly a tech savvy organization that did a lot of in house work. If this is not sorted out it could set a worrying precedent that hacking groups that have limited resources can really hurt them, esp since even well funded ones are rarely able to fend off a dedicated attacker with a profit motive or agenda.
        • This isn't about the hacking groups being able to hurt anyone. It is about doing proper security and handling of personal information. The data was being stored improperly, end of the discussion. It doesn't matter if a hacker group then hacked the website or not and discovered the data and stole it. The data should never have been there to begin with for the hackers to get to, and that is the problem. However, doing things "right" costs money. Businesses and organizations need to know that cutting corners w
          • That's the problem with out-sourcing to the experts without hiring an expert of your own in-house to verify that it was being done right. If there was an internal guy who was tasked with verifying the architecture and the security of the work, make him the scapegoat - but the fact that they're just trying to fine the organization outright is a clue to me that the didn't have an internal resource in place when they should have.
          • by wagnerrp (1305589)
            "Doing things right" is an incredibly nebulous statement that nearly no judge should be in a position to determine. Hell, even plenty of so-called experts don't know the right way to do things. If the security industry at large actually knew what they were doing, websites wouldn't be instituting such asinine password rules, and my own employer wouldn't have recently cited "industry standard practice" as a reason for requiring I include special characters in my domain password.
            • If the security industry at large actually knew what they were doing, websites wouldn't be instituting such asinine password rules, and my own employer wouldn't have recently cited "industry standard practice" as a reason for requiring I include special characters in my domain password.

              But the security industry does know what they are doing. The "industry standard practice" for special characters is to limit the ability of a brute force attack of your password. By requiring a special character, they increased the search space needed to find the password. For an 8 character length password requiring lower case letters, there are 8*26 possible passwords. Add upper case letters, and there are 8*52 possible passwords. Add numbers and there are 8*62 possible passwords. Add special characters a

              • by wagnerrp (1305589)
                That argument only holds true if passwords were actually randomly generated. Humans are incapable of intentionally generating entropy. If forced to add a capital letter to a password, users will most likely place a single capital at the beginning or end. Numbers and special characters will replace similar looking letters. Passwords will still be based off dictionary words. The effective increase in entropy produced by such requirements is many orders of magnitude less than what the increased keyspace w
            • by Shimbo (100005)

              Doing things right" is an incredibly nebulous statement that nearly no judge should be in a position to determine.

              The principles are in Schedule 1 of the DPA [legislation.gov.uk]

          • by rtb61 (674572)

            Still it is a charity as such the judge should take that into account. It is not fining the charity it is fining those who get assisted by the charity by denying them services and it is fining those who contribute to the charity by asking them to handover money to the government instead of the charity and the people that charity assists.

            So the judge needs to step back and consider what he is doing in reality. Hmm, this really does stink of an anti-abortion judge doing their bit.

        • by lgw (121541)

          Not being tech savvy is no excuse. Hire a contractor to do the work, then pay for a security audit from a different firm. That's all that's required.

      • by RobinH (124750)
        We can't allow some beret-wearing-mac-toting hipster web site developer to be held responsible, now can we? Actually, all jesting aside, it's right to hold the organization accountable, and possibly key people at the organization if it can be shown that they didn't fulfill their duty (and clearly someone didn't). The contractor is almost never responsible legally in this case, though if the contract demanded that the software do something and it didn't do it, then the organization may be able to sue for b
      • by mjwalshe (1680392)
        Unfortunately charitys in the UK collectively need this wakeup call - I worked on a few charity projects and we where certain that at least one of our clients -one of the Huge uk charities - was completely ignoring some of the rules on handling bank and CC details.

        Its hard but the charity needs to merge with another in the field and start taking its computer security seriously.
      • That clause only applies to criminal offences under the Data Protection Act. This was a Civil Monetary Penalty which the ICO has levied for a breach of the 7th Principle.

        Breaching the Principles is not in itself a crime (hence "Civil" Monetary Penalty). There are crimes under DPA, for example unlawfully obtaining personal data.

        The charity *should* have contracts in place with the website provider that allow them to recover the cost of the fine on the basis that the contractor didn't do the job properly.....

  • by Anonymous Coward

    If this were a for-profit corporation, this verdict would have never been tried, much less decided on. The target was easy and fairly defenseless.

    • by jythie (914043)
      That is my thought. Non-profits like this generally depend on the contractors to have done their job right since their limited resources tend to be focused on their mission.
      • by sudo (194998)

        Actually a lot of charities use volunteers.

        This will need to change if they intend to store extended user databases

    • by mjwalshe (1680392)
      Unlikely Charitys get a lot of slack in the UK there are no overzelous elected prosecutors trying to get headlines to further his political career. Charitys are notorious for bad hr issues.
    • by jimicus (737525) on Friday March 07, 2014 @05:55PM (#46431189)

      That's not how ICO fines work.

      The way they work is this: If you suffer a data breach that the ICO hears off, they'll investigate.

      Once the investigation is complete, they'll do a few things:

        1. Write a beautifully-worded press release explaining exactly what you did wrong and put it on the news wires.
        2. Write an equally beautifully-worded report explaining what you did wrong in explicit detail.
        3. Issue a thumping great fine.

      It's important to note that they don't have to take an organisation to court to raise this fine. It's the other way around - if your organisation gets fined, it's down to you to raise an appeal.

      • That's not how ICO fines work.

        The way they work is this: If you suffer a data breach that the ICO hears off, they'll investigate.

        Once the investigation is complete, they'll do a few things:

        1. Write a beautifully-worded press release explaining exactly what you did wrong and put it on the news wires.

        2. Write an equally beautifully-worded report explaining what you did wrong in explicit detail.

        3. Issue a thumping great fine.

        It's important to note that they don't have to take an organisation to court to raise this fine. It's the other way around - if your organisation gets fined, it's down to you to raise an appeal.

        Parent posting needs to be modded up.

      • by jimicus (737525)

        Replying to myself, but.... £200,000 is a pretty big fine by ICO standards.

        Reading the report, it seems that while the BPAS did everything right once the breach was discovered, the circumstances that led to it happening in the first place were caused by pretty blatant incompetence. They knew (or should have known) that the details of people who wanted to use their services would be confidential information, they sacked the firm that built the website over concerns for their ability but they kept the s

  • No Sympathy (Score:5, Insightful)

    by TechyImmigrant (175943) on Friday March 07, 2014 @04:47PM (#46430627) Journal

    I have no sympathy. They need to be required to pay the fine so everyone else who handles personal data gets the message that you don't handle it negligently.

    • Re:No Sympathy (Score:5, Insightful)

      by Fallen Kell (165468) on Friday March 07, 2014 @04:58PM (#46430693)
      I agree entirely. And the fine needs to be high enough that it is cheaper to do the work properly than it is to risk not doing it and simply paying the costs of the fine.
    • Why so black and white? Your brain should be able to handle sympathy while at the same time thinking they should be required to pay the fine.

      At the very least, realize that the people who are going to be paying the price here aren't people who said "Hey, know what? FUCK PRIVACY! HAHAHAHAHAHA!"
      • Because this was the UK, where the terms of the data protection act are well understood. Ignorance of that is no more excusable than ignorance of tax law, or speed limits.

        They had plenty of non technical choices to protect the data. They could have kept it on paper in a locked room. They could have kept the computers off the internet. They could have kept the data in excel tables on USB sticks. They could have hired a consultant who specializes in data protection compliance. There are no shortage of them.

    • by Anonymous Coward

      So if you have some repairs done on your bike or car, and you don't self-certify that the car / bike is in perfect working order and you go careening through an intersection killing 3 children, you will be held responsible for your lack of verifying that all repairs were completed properly.

      Gotcha, can't wait to see you executed for that bub.

      A contractor is responsible for their work - that's why they have to carry insurance for errors / omissions.

      If the Charity said "make sure it's secure" but had no one on

      • by Anonymous Coward

        K, now that we're all clear on this, the Judge needs to pull their head out of their ass and re-assign the fine to the contractor, end of story.

        The charity was the organisation registered as a data controller. It was their responsibility to ensure the security of the data. It was their responsibility to define the requirements of the system comprehensively. It was their responsibility to make sure the contractor did the job correctly. They failed in their responsibility, and now face the consequences.
        This i

      • by Anonymous Coward

        If the Charity said "make sure it's secure" but had no one on staff to validate that, then it's no different from your local mechanic fudging the work causing your brakes to fail and you get sent to prison for life or get executed for murdering innocent children.

        K, now that we're all clear on this, the Judge needs to pull their head out of their ass and re-assign the fine to the contractor, end of story.

        No, YOU need to pull your head out of YOUR ass and understand it was the charity that had the legal resp

  • by BitterOak (537666) on Friday March 07, 2014 @05:23PM (#46430895)
    This wasn't a corporate site nor was it a medical services site. This was a non-profit charitable organization. Suppose I set up a website of my own, not for profit, in which I provide information on where to get an abortion. Suppose I don't secure my web server enough and a hacker gets a copy of my access.log files and is thus able to determine who visited my site and suppose they publish that information. Would I be subject to big fines as well? What if it was a website about some other subject like building model trains? I understand in this case the hackers probably got more than just IP addresses, but where exactly is the line drawn? Is anyone who has a website in danger of running afoul of these laws?
    • by hawkinspeter (831501) on Friday March 07, 2014 @05:50PM (#46431137)
      As far as I know, the line is drawn when you start storing personal data. They were keeping the name, address, date of birth and telephone number of people who were looking for advice and they weren't keeping it securely. A typical web server won't be storing anything more than IP addresses and browser types so you won't get into trouble for storing personal data without following the relevant laws.
    • by eionmac (949755)

      In UK these laws apply to all 'personal data' , even in written form inside your organisation, all personal data must be securely held.
      Thus membership list etc should be kept in a safe or locked cupboard in locked premises if in written form and in secured electronic form if on a database or website. No if, No buts! Germany is the toughest on data protection.

  • Is that they're fining a non profit organization supported by donations.

    If this was a business I would see more sense, but somehow fining charities doesn't sit well with me.

    • by frisket (149522)
      I have the same slight sense of unease because they're a charity doing important work, but the people responsible (the individual[s] and their management) have to be taught a lesson they won't forget. Perhaps naming and shaming them is more appropriate.
      • If fact the negligence in this case was the fault of an external IT contractor who stored the captured data on the website CMS, after the requirements has been change to specifically exclude this feature because of security concerns. However the DPA doesn't take this into account. Data loss is an absolute offence, no negligence is necessary. If the organisation loses the data they are guilty.

        The size of the fine is not a reflection of the degree of negligence but a result of the damage done . In this c

        • by whoever57 (658626)

          If fact the negligence in this case was the fault of an external IT contractor who stored the captured data on the website CMS, after the requirements has been change to specifically exclude this feature because of security concerns. However the DPA doesn't take this into account. Data loss is an absolute offence, no negligence is necessary. If the organisation loses the data they are guilty.

          If you are correct, then the BPAS should be able to sue the contractor, since it was the contractor's sole fault th

  • by cas2000 (148703) on Friday March 07, 2014 @05:46PM (#46431103)

    The amount is particularly egregious when perpetrators of willful data theft often attract fines of only a few thousand pounds."

    This is nonsense. "data theft" and "failure to secure personal data" are two completely different crimes - it's perfectly normal for different crimes to have different penalties.....and failing to secure the personal details of 9900 patients is a far more serious crime than breaking into a computer and copying files.

  • by Anonymous Coward

    Many thousands of women from the Republic of Ireland have to travel to the UK in order to get a safe abortion, as abortions are virtually illegal in Ireland. What makes this particularly serious is that Ireland has moved towards making it illegal for Irish citizens to have an abortion anywhere in the world; and so if this information had leaked then thousands of women could have become liable for prosecution or at least investigation.

  • I find this outcome incredibly offensive. The hacker is probably so radically anti-abortion that he doesn't give a shit about his fine or jail-time. All this really does is damage the charity, which was probably his goal in the first place: to get them fined for not securing data. And, as has already been mentioned, the charity probably isn't even responsible for the data breach. All the work was probably contracted out. Besides, if Stratfor and Sony and damn near everyone else can't securely store data, wh

[Crash programs] fail because they are based on the theory that, with nine women pregnant, you can get a baby a month. -- Wernher von Braun

Working...