Become a fan of Slashdot on Facebook


Forgot your password?
Slashdot Deals: Cyber Monday Sale Extended! Courses ranging from coding to project management - all eLearning deals 20% off with coupon code "CYBERMONDAY20". ×
United Kingdom Privacy

BPAS Appeals £200,000 Fine Over Hacked Website 104

DW100 writes "A UK charity that provides help and guidance for women seeking abortions has been fined £200,000 after a hacker breached its website in 2012 and was able to gather data on 9,900 people that had requested help from the organization. The hacker was given almost three years in jail for the attack. The charity's CEO has condemned the decision, arguing it rewards the hacker for his efforts." The data was unintentionally stored in their CMS after miscommunication with a contractor, and they never performed security audits. Martin S. writes "The BPAS is appealing a £200,000 fine imposed by the ICO after their website was hacked by an Anonymous anti-abortion extremist. The amount is particularly egregious when perpetrators of willful data theft often attract fines of only a few thousand pounds."
This discussion has been archived. No new comments can be posted.

BPAS Appeals £200,000 Fine Over Hacked Website

Comments Filter:
  • by Anonymous Coward on Friday March 07, 2014 @03:37PM (#46430563)

    lucky them

  • by schwit1 (797399) on Friday March 07, 2014 @03:39PM (#46430577)

    If the perpetrator was sent to jail how is this 'anonymous'?

    How do you know this wasn't a simple extortion for money scheme?

  • by Anonymous Coward on Friday March 07, 2014 @03:41PM (#46430597)

    If this were a for-profit corporation, this verdict would have never been tried, much less decided on. The target was easy and fairly defenseless.

  • No Sympathy (Score:5, Insightful)

    by TechyImmigrant (175943) on Friday March 07, 2014 @03:47PM (#46430627) Journal

    I have no sympathy. They need to be required to pay the fine so everyone else who handles personal data gets the message that you don't handle it negligently.

  • Re:hmmm (Score:5, Insightful)

    by Xest (935314) on Friday March 07, 2014 @03:50PM (#46430645)

    A better solution would have been to not fine the organisation but to use the clause of the data protection act that allows individuals to be held responsible and fine the contractor for being so negligent as to store personal data insecurely and anyone at the organisation who allowed it.

  • Re:No Sympathy (Score:5, Insightful)

    by Fallen Kell (165468) on Friday March 07, 2014 @03:58PM (#46430693)
    I agree entirely. And the fine needs to be high enough that it is cheaper to do the work properly than it is to risk not doing it and simply paying the costs of the fine.
  • by Jane Q. Public (1010737) on Friday March 07, 2014 @04:01PM (#46430719)

    "so they got an anti-abortion judge"

    Trust some AC on Slashdot to try to turn it into a political issue.

    It's about time that some of these organizations (including banks and others) who store personal data were held responsible for their lack of security. It has been a real problem.

    Let's leave the politics out of it. The organization messed up, resulting in potential harm to the public who used its services. The court wants to hold them responsible for their messup. End of story.

  • by BitterOak (537666) on Friday March 07, 2014 @04:23PM (#46430895)
    This wasn't a corporate site nor was it a medical services site. This was a non-profit charitable organization. Suppose I set up a website of my own, not for profit, in which I provide information on where to get an abortion. Suppose I don't secure my web server enough and a hacker gets a copy of my access.log files and is thus able to determine who visited my site and suppose they publish that information. Would I be subject to big fines as well? What if it was a website about some other subject like building model trains? I understand in this case the hackers probably got more than just IP addresses, but where exactly is the line drawn? Is anyone who has a website in danger of running afoul of these laws?
  • by Anonymous Coward on Friday March 07, 2014 @04:26PM (#46430919)

    Trust some AC on Slashdot to try to turn it into a political issue.

    This coming from one of the most politically-instigating people on the site.

  • by interkin3tic (1469267) on Friday March 07, 2014 @04:32PM (#46430985)
    Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be. Moreover, the charity itself says it was an anti-abortion activist, and that the ruling rewards the criminal. So it's already political from the summary.

    I suppose since we don't read the summary anymore, we may have been able to take it BACK from political. I can see how from the title, one might think it was a bank that was being punished.
  • by sudo (194998) on Friday March 07, 2014 @04:35PM (#46431011) Homepage

    Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity.

    I agree this organization is negligent, but if this ruling is setting a precedent then it should be scrutinized.
    At least, the ICO should demonstrate the fine is consistent with other cases.

  • by hawkinspeter (831501) on Friday March 07, 2014 @04:50PM (#46431137)
    As far as I know, the line is drawn when you start storing personal data. They were keeping the name, address, date of birth and telephone number of people who were looking for advice and they weren't keeping it securely. A typical web server won't be storing anything more than IP addresses and browser types so you won't get into trouble for storing personal data without following the relevant laws.
  • by Jane Q. Public (1010737) on Friday March 07, 2014 @05:03PM (#46431245)

    "Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity."

    Well, I'm not that familiar with UK law, but like the U.S. it is still Common Law tradition.

    Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices.

    It seems to me that the annual salary of a couple of professionals, who probably ought to be fired anyway, seems about right.

  • by SpankiMonki (3493987) on Friday March 07, 2014 @07:22PM (#46432247)
    Absolutely true, but it's also worth pointing out that the charity didn't really disclose anything, they were hacked. In contrast, RBS continued to release financial data via fax for years after it was warned.

"Everybody is talking about the weather but nobody does anything about it." -- Mark Twain