BPAS Appeals £200,000 Fine Over Hacked Website

DW100 writes "A UK charity that provides help and guidance for women seeking abortions has been fined £200,000 after a hacker breached its website in 2012 and was able to gather data on 9,900 people that had requested help from the organization. The hacker was given almost three years in jail for the attack. The charity's CEO has condemned the decision, arguing it rewards the hacker for his efforts." The data was unintentionally stored in their CMS after miscommunication with a contractor, and they never performed security audits. Martin S. writes "The BPAS is appealing a £200,000 fine imposed by the ICO after their website was hacked by an Anonymous anti-abortion extremist. The amount is particularly egregious when perpetrators of willful data theft often attract fines of only a few thousand pounds."

Re:

[Jane Q. Public]

"so they got an anti-abortion judge"

Trust some AC on Slashdot to try to turn it into a political issue.

It's about time that some of these organizations (including banks and others) who store personal data were held responsible for their lack of security. It has been a real problem.

Let's leave the politics out of it. The organization messed up, resulting in potential harm to the public who used its services. The court wants to hold them responsible for their messup. End of story.

Re:

[Anonymous Coward]

Trust some AC on Slashdot to try to turn it into a political issue.

This coming from one of the most politically-instigating people on the site.

Re:

[Jane Q. Public]

"This coming from one of the most politically-instigating people on the site."

Example?

Please show me where I have tried to "politicize" abortion or other social subject. I certainly do have opinions about them, but I don't think a court should be making decisions based on politics. I would be interested in seeing an example of where you think I might have stated otherwise.

Re:so they got an anti-abortion judge

[interkin3tic]

Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be. Moreover, the charity itself says it was an anti-abortion activist, and that the ruling rewards the criminal. So it's already political from the summary.

I suppose since we don't read the summary anymore, we may have been able to take it BACK from political. I can see how from the title, one might think it was a bank that was being punished.

Re:

[Jane Q. Public]

Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be. Moreover, the charity itself says it was an anti-abortion activist, and that the ruling rewards the criminal. So it's already political from the summary.

What I was referring to was GP inferring that the charity got a "heavy-handed" judgment because of the abortion issue, rather than it simply being a judgment they deserved for being irresponsible with personal information.

It should not matter what the politics of either the charity or the criminal are; judgments are supposed to be apolitical. Saying the judgment was political is trying to inject politics into a legal matter. Do you somehow disagree with that? Or do you just assume that the court's decisi

Re:

[Penguinisto]

Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be.

I may be wrong on this, but in the US, HIPAA would rule the day on such a case, no? That would mean that 200k Pounds Sterling would be a wee drop in the bucket compared to the fine such an organization would face here should it face a data leak of that magnitude.

Remove the mission statement of the place... this is confidential patient information, and should be safeguarded as such. If the place demands to be treated as a health facility (even if social), then it has to take the responsibilities along with t

Re:

[cduffy]

I may be wrong on this, but in the US, HIPAA would rule the day on such a case, no? That would mean that 200k Pounds Sterling would be a wee drop in the bucket compared to the fine such an organization would face here should it face a data leak of that magnitude.

You're making substantial assumptions about what kind of teeth HIPAA has. When I worked at a medical software company -- wherein I was directly responsible for systems handling patient data, went through HIPAA training, and worked directly with our

Re:so they got an anti-abortion judge

[sudo]

Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity.

I agree this organization is negligent, but if this ruling is setting a precedent then it should be scrutinized.
At least, the ICO should demonstrate the fine is consistent with other cases.

Re:

[Jane Q. Public]

"Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity."

Well, I'm not that familiar with UK law, but like the U.S. it is still Common Law tradition.

Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices.

It seems to me that the annual salary of a couple of professionals, who probably ought to be fired anyway, seems about right.

Re:

[Shimbo]

Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices.
>

It's less that 1% of their annual turnover, and could easily come out of their senior management's pay. Think that will happen? Me neither.

Re:

[pjt33]

UK salaries aren't that high: it's more like the annual salary of about five professionals, and it seems to be about three times their annual "governance" spending according to the summary of their accounts [charitycommission.gov.uk] on the Charity Commission website (although since they apparently have the equivalent of 354 full-time employees they must be filing the bulk of their wage bill under "charitable activities"). Perhaps more pertinently, it's about 1% of annual turnover, which is not an unreasonable level to pitch a fine w

Re:

[SpankiMonki]

It's about time that some of these organizations (including banks and others)...Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices....It seems to me that the annual salary of a couple of professionals, who probably ought to be fired anyway, seems about right.

I guess "heavy handed" is a relative term, so let's take a look at ICO's BPAS fine vs ICO's bank fine:

The ICO fined The Royal Bank of Scotland [ico.org.uk] the grand sum of £75,000 in 2013*. The RBS Group had around £18 billion in income during 2012, and the top 2 executives received almost £4 million (excluding stock awards) in compensation. (RBS 2013 Financials) [rbs.com]

The BPAS, on the other hand, had donations of around £27 million [charitycommission.gov.uk] in 2013 (0.15% of RBS revenue), and their CEO is thought to earn aro

Re:

[Anonymous Brave Guy]

It's worth noting that the fine for the charity here relates to disclosing personal data about nearly 10,000 individuals, so it worked out around £20 per victim, even though the nature of the breach is obviously quite serious.

In contrast, the bank released a lot of personal data but only about a much smaller number of individuals (it seems to be only in low double figures looking through the ICO's information more deeply, via a series of careless errors rather than one mass leak) so the fine per indiv

Re:so they got an anti-abortion judge

[SpankiMonki]

Absolutely true, but it's also worth pointing out that the charity didn't really disclose anything, they were hacked. In contrast, RBS continued to release financial data via fax for years after it was warned.

Re:

[Anonymous Brave Guy]

It sounds like the hack was only possible because personal data that should never have been anywhere near a public website wasn't properly controlled, so I don't have much sympathy for them on that score.

As far as being hacked compared to continued careless releases, the latter seems to deserve a harsher penalty, and the fines here do seem to reflect that. Isn't this what we want to happen?

Re:

[SpankiMonki]

It sounds like the hack was only possible because personal data that should never have been anywhere near a public website wasn't properly controlled, so I don't have much sympathy for them on that score.

Would you be more sympathetic if the data in question was placed on their CMS by a contractor? From TFA:

• "When it had contracted an IT company to build its website in 2007, it had decided against storing this data within the CMS, due to security concerns. But this was not properly communicated to the IT company, so the feature was built in anyway. BPAS had no knowledge it was collecting personal data in an unsecured manner.

As far as being hacked compared to continued careless releases, the latter seems to deserve a harsher penalty, and the fines here do seem to reflect that. Isn't this what we want to happen?

In general, yes. But in this case, no one was actually harmed - because the data

Re:

[sumdumass]

Well, from the article summery anyways, the bank is allowed to collect and keep personal information and the charity not only was not supposed to do so, failed to implement any auditing to ensure they were in compliance with the laws concerning personal information.

I think that right there, failing to even bother checking to see if they were in compliance, is what might have drove the fine up.

Re:

[Anonymous Coward]

Sorry, the anti-abortion issue is very political

Not in the UK it isn't, outside a few extremists and idiot MP's who insist on introducing Private Member Bills for reading to no-one in particular.

On the flip-side it strikes me that the data that BPAS held was exactly the sort of data an extremist would like to have, and thus they deserve the fine for being idiots.

Re:

[Lehk228]

these idiots were storing abortion patient information without adequate security, fuck 'em.

"Anonymous anti-abortion extremist"

[schwit1]

If the perpetrator was sent to jail how is this 'anonymous'?

How do you know this wasn't a simple extortion for money scheme?

Re:

[jythie]

I think they are saying the person was "A"nonymouse, so the self identity. The hacker in question was specifically interested in anti-abortion activism when targeting the site.

Re:

[sandytaru]

Nope, it's right. The hacker claimed to be part of Anonymous. [v3.co.uk]. Which is kind of odd, most of the time they do vigilante justice on organizations that actually deserve it, like Scientology.

Re:

[wagnerrp]

You say "they" as if they are some kind of coherent organization with enrollment.

Re:

[sandytaru]

Good point. I am thinking specifically of two Anonymous members/affiliates/4chan trolls I know in real life, who wouldn't give a rat's ass about that issue. But this is the Internet, of course, and smart people can get irrational about the weirdest things. (Well, not so smart, if he got caught.)

Re:

[wagnerrp]

There is no "they", as there is no organized entity or group for "they" to refer to. There are only individuals who happen to carry the moniker for a specific event.

Re:

[wagnerrp]

How do you easily identify Anonymous?

Re:

[wagnerrp]

So then name two people who are in Anonymous. Presumably non-Human "things" cannot be in it.

Re:

[wagnerrp]

And other than their own claim, what makes them members of Anonymous?

Re:

[wagnerrp]

But then "they" is referring to those specific people, not to Anonymous.

Re:

[wagnerrp]

Apparently two internet dorks arrested in the US.

Anonymous not anonymous

[Martin Spamer]

Anonymous because

1) 'James Jeffery' defaced the the site with Anonymous logo and anti-abortion rhetoric.
2) Posted claim on @Anonymous [wordpress.com] on twitter
3) Was 'Ratted Out' by FBI informant Sabu [gawker.com].

Hacker Makes Anonymous Look Like Assholes By Attacking Abortion Provider In Their Name [gawker.com]

hmmm

[ganjadude]

Well I mean there do need to be penalties for companies not storing customer data correctly, especially in the medical field. Im not versed enough on abortion cliniques to know if 200K is justified or not but they should get some sort of fine no questions

Re:hmmm

[Xest]

A better solution would have been to not fine the organisation but to use the clause of the data protection act that allows individuals to be held responsible and fine the contractor for being so negligent as to store personal data insecurely and anyone at the organisation who allowed it.

Re:

[jythie]

That was my thought too. This is not exactly a tech savvy organization that did a lot of in house work. If this is not sorted out it could set a worrying precedent that hacking groups that have limited resources can really hurt them, esp since even well funded ones are rarely able to fend off a dedicated attacker with a profit motive or agenda.

Re:

[Fallen Kell]

This isn't about the hacking groups being able to hurt anyone. It is about doing proper security and handling of personal information. The data was being stored improperly, end of the discussion. It doesn't matter if a hacker group then hacked the website or not and discovered the data and stole it. The data should never have been there to begin with for the hackers to get to, and that is the problem. However, doing things "right" costs money. Businesses and organizations need to know that cutting corners w

Re:

[sandytaru]

That's the problem with out-sourcing to the experts without hiring an expert of your own in-house to verify that it was being done right. If there was an internal guy who was tasked with verifying the architecture and the security of the work, make him the scapegoat - but the fact that they're just trying to fine the organization outright is a clue to me that the didn't have an internal resource in place when they should have.

Re:

[wagnerrp]

"Doing things right" is an incredibly nebulous statement that nearly no judge should be in a position to determine. Hell, even plenty of so-called experts don't know the right way to do things. If the security industry at large actually knew what they were doing, websites wouldn't be instituting such asinine password rules, and my own employer wouldn't have recently cited "industry standard practice" as a reason for requiring I include special characters in my domain password.

Re:

[Fallen Kell]

If the security industry at large actually knew what they were doing, websites wouldn't be instituting such asinine password rules, and my own employer wouldn't have recently cited "industry standard practice" as a reason for requiring I include special characters in my domain password.

But the security industry does know what they are doing. The "industry standard practice" for special characters is to limit the ability of a brute force attack of your password. By requiring a special character, they increased the search space needed to find the password. For an 8 character length password requiring lower case letters, there are 8*26 possible passwords. Add upper case letters, and there are 8*52 possible passwords. Add numbers and there are 8*62 possible passwords. Add special characters a

Re:

[wagnerrp]

That argument only holds true if passwords were actually randomly generated. Humans are incapable of intentionally generating entropy. If forced to add a capital letter to a password, users will most likely place a single capital at the beginning or end. Numbers and special characters will replace similar looking letters. Passwords will still be based off dictionary words. The effective increase in entropy produced by such requirements is many orders of magnitude less than what the increased keyspace w

Re:

[Shimbo]

Doing things right" is an incredibly nebulous statement that nearly no judge should be in a position to determine.

The principles are in Schedule 1 of the DPA [legislation.gov.uk]

Re:

[rtb61]

Still it is a charity as such the judge should take that into account. It is not fining the charity it is fining those who get assisted by the charity by denying them services and it is fining those who contribute to the charity by asking them to handover money to the government instead of the charity and the people that charity assists.

So the judge needs to step back and consider what he is doing in reality. Hmm, this really does stink of an anti-abortion judge doing their bit.

Re:

[lgw]

Not being tech savvy is no excuse. Hire a contractor to do the work, then pay for a security audit from a different firm. That's all that's required.

Re:

[RobinH]

We can't allow some beret-wearing-mac-toting hipster web site developer to be held responsible, now can we? Actually, all jesting aside, it's right to hold the organization accountable, and possibly key people at the organization if it can be shown that they didn't fulfill their duty (and clearly someone didn't). The contractor is almost never responsible legally in this case, though if the contract demanded that the software do something and it didn't do it, then the organization may be able to sue for b

Re:

[mjwalshe]

Unfortunately charitys in the UK collectively need this wakeup call - I worked on a few charity projects and we where certain that at least one of our clients -one of the Huge uk charities - was completely ignoring some of the rules on handling bank and CC details.

Its hard but the charity needs to merge with another in the field and start taking its computer security seriously.

Re:

[Xest]

You're right, but the fine is entirely down to the ICO. Remember the ACS: Law guy who was chasing file sharers over porn on bittorrent and left a list of his accused on his website for all to download stating personal information and associating their names width different flavours of porn?

He was fined a pathetic £1000 because the ICO didn't want him to endure the hardship of potentially losing his $1million house simply because the guy provided a "sworn statement" that he couldn't pay a higher

Re:

[VoiceOfDoom]

That clause only applies to criminal offences under the Data Protection Act. This was a Civil Monetary Penalty which the ICO has levied for a breach of the 7th Principle.

Breaching the Principles is not in itself a crime (hence "Civil" Monetary Penalty). There are crimes under DPA, for example unlawfully obtaining personal data.

The charity *should* have contracts in place with the website provider that allow them to recover the cost of the fine on the basis that the contractor didn't do the job properly.....

Re:

[mikechant]

What we do know about the charity case is that there were almost ten thousand records of patients of a highly controversial practice

It's not 'highly controversial' in the UK, where this happened (unlike the US).

Low hanging fruit...

[Anonymous Coward]

If this were a for-profit corporation, this verdict would have never been tried, much less decided on. The target was easy and fairly defenseless.

Re:

[jythie]

That is my thought. Non-profits like this generally depend on the contractors to have done their job right since their limited resources tend to be focused on their mission.

Re:

[sudo]

Actually a lot of charities use volunteers.

This will need to change if they intend to store extended user databases

Re:

[mjwalshe]

Unlikely Charitys get a lot of slack in the UK there are no overzelous elected prosecutors trying to get headlines to further his political career. Charitys are notorious for bad hr issues.

Re:Low hanging fruit...

[jimicus]

That's not how ICO fines work.

The way they work is this: If you suffer a data breach that the ICO hears off, they'll investigate.

Once the investigation is complete, they'll do a few things:

  1. Write a beautifully-worded press release explaining exactly what you did wrong and put it on the news wires.
  2. Write an equally beautifully-worded report explaining what you did wrong in explicit detail.
  3. Issue a thumping great fine.

It's important to note that they don't have to take an organisation to court to raise this fine. It's the other way around - if your organisation gets fined, it's down to you to raise an appeal.

Re:

[Antony T Curtis]

That's not how ICO fines work.

The way they work is this: If you suffer a data breach that the ICO hears off, they'll investigate.

Once the investigation is complete, they'll do a few things:

1. Write a beautifully-worded press release explaining exactly what you did wrong and put it on the news wires.

2. Write an equally beautifully-worded report explaining what you did wrong in explicit detail.

3. Issue a thumping great fine.

It's important to note that they don't have to take an organisation to court to raise this fine. It's the other way around - if your organisation gets fined, it's down to you to raise an appeal.

Parent posting needs to be modded up.

Re:

[jimicus]

Replying to myself, but.... £200,000 is a pretty big fine by ICO standards.

Reading the report, it seems that while the BPAS did everything right once the breach was discovered, the circumstances that led to it happening in the first place were caused by pretty blatant incompetence. They knew (or should have known) that the details of people who wanted to use their services would be confidential information, they sacked the firm that built the website over concerns for their ability but they kept the s

No Sympathy

[TechyImmigrant]

I have no sympathy. They need to be required to pay the fine so everyone else who handles personal data gets the message that you don't handle it negligently.

Re:No Sympathy

[Fallen Kell]

I agree entirely. And the fine needs to be high enough that it is cheaper to do the work properly than it is to risk not doing it and simply paying the costs of the fine.

Re:

[interkin3tic]

Why so black and white? Your brain should be able to handle sympathy while at the same time thinking they should be required to pay the fine.

At the very least, realize that the people who are going to be paying the price here aren't people who said "Hey, know what? FUCK PRIVACY! HAHAHAHAHAHA!"

Re:

[TechyImmigrant]

Because this was the UK, where the terms of the data protection act are well understood. Ignorance of that is no more excusable than ignorance of tax law, or speed limits.

They had plenty of non technical choices to protect the data. They could have kept it on paper in a locked room. They could have kept the computers off the internet. They could have kept the data in excel tables on USB sticks. They could have hired a consultant who specializes in data protection compliance. There are no shortage of them.

Re:

[Anonymous Coward]

So if you have some repairs done on your bike or car, and you don't self-certify that the car / bike is in perfect working order and you go careening through an intersection killing 3 children, you will be held responsible for your lack of verifying that all repairs were completed properly.

Gotcha, can't wait to see you executed for that bub.

A contractor is responsible for their work - that's why they have to carry insurance for errors / omissions.

If the Charity said "make sure it's secure" but had no one on

Re:

[Anonymous Coward]

K, now that we're all clear on this, the Judge needs to pull their head out of their ass and re-assign the fine to the contractor, end of story.

The charity was the organisation registered as a data controller. It was their responsibility to ensure the security of the data. It was their responsibility to define the requirements of the system comprehensively. It was their responsibility to make sure the contractor did the job correctly. They failed in their responsibility, and now face the consequences.
This i

Re:

[Anonymous Coward]

If the Charity said "make sure it's secure" but had no one on staff to validate that, then it's no different from your local mechanic fudging the work causing your brakes to fail and you get sent to prison for life or get executed for murdering innocent children.

K, now that we're all clear on this, the Judge needs to pull their head out of their ass and re-assign the fine to the contractor, end of story.

No, YOU need to pull your head out of YOUR ass and understand it was the charity that had the legal resp

Re:

[mjwalshe]

And I woudl not be surprised in the Security Service have not got him on file now as there are worries about ultra anti abortionists coming over from the USA to here

Re:

[sudo]

I can see a new lucrative industry in hacking/extortion on the horizon.

How far do these laws go?

[BitterOak]

This wasn't a corporate site nor was it a medical services site. This was a non-profit charitable organization. Suppose I set up a website of my own, not for profit, in which I provide information on where to get an abortion. Suppose I don't secure my web server enough and a hacker gets a copy of my access.log files and is thus able to determine who visited my site and suppose they publish that information. Would I be subject to big fines as well? What if it was a website about some other subject like building model trains? I understand in this case the hackers probably got more than just IP addresses, but where exactly is the line drawn? Is anyone who has a website in danger of running afoul of these laws?

Re:How far do these laws go?

[hawkinspeter]

As far as I know, the line is drawn when you start storing personal data. They were keeping the name, address, date of birth and telephone number of people who were looking for advice and they weren't keeping it securely. A typical web server won't be storing anything more than IP addresses and browser types so you won't get into trouble for storing personal data without following the relevant laws.

Re:

[eionmac]

In UK these laws apply to all 'personal data' , even in written form inside your organisation, all personal data must be securely held.
Thus membership list etc should be kept in a safe or locked cupboard in locked premises if in written form and in secured electronic form if on a database or website. No if, No buts! Germany is the toughest on data protection.

What I don't like

[shentino]

Is that they're fining a non profit organization supported by donations.

If this was a business I would see more sense, but somehow fining charities doesn't sit well with me.

Re:

[frisket]

I have the same slight sense of unease because they're a charity doing important work, but the people responsible (the individual[s] and their management) have to be taught a lesson they won't forget. Perhaps naming and shaming them is more appropriate.

The nature of responsibility

[Martin Spamer]

If fact the negligence in this case was the fault of an external IT contractor who stored the captured data on the website CMS, after the requirements has been change to specifically exclude this feature because of security concerns. However the DPA doesn't take this into account. Data loss is an absolute offence, no negligence is necessary. If the organisation loses the data they are guilty.

The size of the fine is not a reflection of the degree of negligence but a result of the damage done . In this c

Re:

[whoever57]

If fact the negligence in this case was the fault of an external IT contractor who stored the captured data on the website CMS, after the requirements has been change to specifically exclude this feature because of security concerns. However the DPA doesn't take this into account. Data loss is an absolute offence, no negligence is necessary. If the organisation loses the data they are guilty.

If you are correct, then the BPAS should be able to sue the contractor, since it was the contractor's sole fault th

bogus comparison

[cas2000]

The amount is particularly egregious when perpetrators of willful data theft often attract fines of only a few thousand pounds."

This is nonsense. "data theft" and "failure to secure personal data" are two completely different crimes - it's perfectly normal for different crimes to have different penalties.....and failing to secure the personal details of 9900 patients is a far more serious crime than breaking into a computer and copying files.

Local context

[Anonymous Coward]

Many thousands of women from the Republic of Ireland have to travel to the UK in order to get a safe abortion, as abortions are virtually illegal in Ireland. What makes this particularly serious is that Ireland has moved towards making it illegal for Irish citizens to have an abortion anywhere in the world; and so if this information had leaked then thousands of women could have become liable for prosecution or at least investigation.

Re:

[timmyf2371]

In this situation, the organisation was not merely unlucky. The data was not stored securely at all and this was made worse by the fact that they had not carried out a proper assessment of the data storage techniques. The DPA is very strict and rightly so - it is our personal information which is at risk here.

All too often there are stories of charitable organisations cutting corners and thinking they can get away with it. This fine is a message that organisations, regardless of purpose, will be treated equ

Re:

[Shimbo]

What I find incredibly offensive is that the charity's CEO didn't even apologise to the 10,000 innocent victims whose data was lost as a result of his organisation's failings. Instead he is trying to shift the attention onto the ICO and try to portray themselves as victims.

In all probablility burning tens of thousands pounds more of the charity's money in the process. If they do actually go to appeal, rather than just saying it in the heat of the moment. It's a she, by the way.

To be fair, they are victims in the sense that if they didn't get hacked, they might have got away with their negligence but that is often true. It's rather like blaming the guy that pulled out in front of you when you were drunk driving.

Re:

[account_deleted]

Comment removed based on user account deletion