BPAS Appeals £200,000 Fine Over Hacked Website

DW100 writes "A UK charity that provides help and guidance for women seeking abortions has been fined £200,000 after a hacker breached its website in 2012 and was able to gather data on 9,900 people that had requested help from the organization. The hacker was given almost three years in jail for the attack. The charity's CEO has condemned the decision, arguing it rewards the hacker for his efforts." The data was unintentionally stored in their CMS after miscommunication with a contractor, and they never performed security audits. Martin S. writes "The BPAS is appealing a £200,000 fine imposed by the ICO after their website was hacked by an Anonymous anti-abortion extremist. The amount is particularly egregious when perpetrators of willful data theft often attract fines of only a few thousand pounds."

so they got an anti-abortion judge

[Anonymous Coward]

lucky them

"Anonymous anti-abortion extremist"

[schwit1]

If the perpetrator was sent to jail how is this 'anonymous'?

How do you know this wasn't a simple extortion for money scheme?

Low hanging fruit...

[Anonymous Coward]

If this were a for-profit corporation, this verdict would have never been tried, much less decided on. The target was easy and fairly defenseless.

No Sympathy

[TechyImmigrant]

I have no sympathy. They need to be required to pay the fine so everyone else who handles personal data gets the message that you don't handle it negligently.

Re:hmmm

[Xest]

A better solution would have been to not fine the organisation but to use the clause of the data protection act that allows individuals to be held responsible and fine the contractor for being so negligent as to store personal data insecurely and anyone at the organisation who allowed it.

Re:No Sympathy

[Fallen Kell]

I agree entirely. And the fine needs to be high enough that it is cheaper to do the work properly than it is to risk not doing it and simply paying the costs of the fine.

Re:so they got an anti-abortion judge

[Jane Q. Public]

"so they got an anti-abortion judge"

Trust some AC on Slashdot to try to turn it into a political issue.

It's about time that some of these organizations (including banks and others) who store personal data were held responsible for their lack of security. It has been a real problem.

Let's leave the politics out of it. The organization messed up, resulting in potential harm to the public who used its services. The court wants to hold them responsible for their messup. End of story.

How far do these laws go?

[BitterOak]

This wasn't a corporate site nor was it a medical services site. This was a non-profit charitable organization. Suppose I set up a website of my own, not for profit, in which I provide information on where to get an abortion. Suppose I don't secure my web server enough and a hacker gets a copy of my access.log files and is thus able to determine who visited my site and suppose they publish that information. Would I be subject to big fines as well? What if it was a website about some other subject like building model trains? I understand in this case the hackers probably got more than just IP addresses, but where exactly is the line drawn? Is anyone who has a website in danger of running afoul of these laws?

Re:so they got an anti-abortion judge

[Anonymous Coward]

Trust some AC on Slashdot to try to turn it into a political issue.

This coming from one of the most politically-instigating people on the site.

Re:so they got an anti-abortion judge

[interkin3tic]

Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be. Moreover, the charity itself says it was an anti-abortion activist, and that the ruling rewards the criminal. So it's already political from the summary.

I suppose since we don't read the summary anymore, we may have been able to take it BACK from political. I can see how from the title, one might think it was a bank that was being punished.

Re:so they got an anti-abortion judge

[sudo]

Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity.

I agree this organization is negligent, but if this ruling is setting a precedent then it should be scrutinized.
At least, the ICO should demonstrate the fine is consistent with other cases.

Re:How far do these laws go?

[hawkinspeter]

As far as I know, the line is drawn when you start storing personal data. They were keeping the name, address, date of birth and telephone number of people who were looking for advice and they weren't keeping it securely. A typical web server won't be storing anything more than IP addresses and browser types so you won't get into trouble for storing personal data without following the relevant laws.

Re:so they got an anti-abortion judge

[Jane Q. Public]

"Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity."

Well, I'm not that familiar with UK law, but like the U.S. it is still Common Law tradition.

Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices.

It seems to me that the annual salary of a couple of professionals, who probably ought to be fired anyway, seems about right.

Re:so they got an anti-abortion judge

[SpankiMonki]

Absolutely true, but it's also worth pointing out that the charity didn't really disclose anything, they were hacked. In contrast, RBS continued to release financial data via fax for years after it was warned.