ICO fines charity £200,000 for data breach

The ICO has imposed a monetary penalty of £200,000 on the British Pregnancy Advice Service (BPAS) for exposing thousands of personal details to a malicious hacker

The Information Commissioner’s Office (ICO) has imposed a penalty of £200,000 on the British Pregnancy Advice Service (BPAS) for exposing thousands of personal details to a malicious hacker.

The case highlights the vulnerability of websites to attacks, as well as the challenge facing charities and smaller businesses that lack resources to defend against a wide range of cyber threats.

An ICO investigation found the charity failed to realise its website was storing the name, address, date of birth and telephone number of anyone who had requested a call back for advice on pregnancy issues.

The personal data was not stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the information.
The hacker threatened to publish the names of the individuals whose details he had accessed, but the data was recovered by the police following an injunction obtained by the BPAS. 
“Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure,” said David Smith, deputy commissioner and director of data protection.

“But ignorance is no excuse. It is especially unforgiveable when the organisation is handling information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.

“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures,” he said.
The investigation found that as well as failing to keep the personal information secure, the BPAS had breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.

Calum MacLeod, vice-president for Europe at security firm Lieberman Software said that although the penalty comes as no surprise, he can sympathise with the BPAS.

“Like many registered charities, they are never going to be able to attract top IT staff, and with their limited resources, it will very often mean that they will outsource services, such as website development.

“What this shows is that great care needs to be taken when doing this type of work. If you don’t have the staff who can do proper penetration testing on applications such as websites, then you are serious risk of a breach. There are so many risk areas associated with websites, that makes professional testing essential,” he said.

Besides lacking the necessary technical expertise, MacLeod said it was unlikely that BPAS had coverage to insure that if they were breached, their outsourcer would be liable.

“This may be a consideration for organisations going forward. In order to ensure financial liability does not end up with the victim, customers should demand that outsourcers provide for coverage in the event that a breach results from a known vulnerability,” he said.

Compromises can happen to any organisation, but this response that they ‘didn’t realise’ the data was there is inexcusable

Tim Erlin, Tripwire

MacLeod said it is important to use a reputable cloud provider who is more likely to ensure the web service infrastructure is protected. However, he said that ultimately, if an application is inherently insecure, it will also be at risk in the cloud.

However, Tim Erlin, director of security and risk strategy at security firm Tripwire, was less sympathetic, highlighting that this is not the first time the BPAS has been hacked.

“In 2012, some 10,000 records were taken from them. Given that history, it’s surprising they would plead ignorance on where their customer data is stored and for how long,” he said.

Erlin said in the light of the previous breach, the BPAS would have known it was a target and should have been more diligent about securing this data.

“Compromises can happen to any organisation, but this response that they ‘didn’t realise’ the data was there is inexcusable,” he said.

Joel Barnes, senior system engineer at Tripwire, said the BPAS may have outsourced their website and assumed that the provider would deal with the security issues.

“As such, there was either a failure in due diligence in assessing the third party, or a lack of maturity and time to assess a homegrown solution. Either way, this shows the importance of embedding security into the business planning process and allowing them to have a say in decisions that are made,” he said.

Brendan Rizzo, technical director for Europe at Voltage Security, said organisations need to fully understand the responsibility that is intrinsically and automatically linked with their collection of any sensitive data.

Organisations must ensure that, if data does need to be collected and stored, it is protected with strong encryption

Brendan Rizzo, Voltage Security

“When the job of implementing an information-gathering system falls to an outsourced contractor, the contractor's goals can lean towards the immediate deliverable of getting this information from the user to the company, without enough attention being paid to the lifecycle of how this sensitive data will be used, stored and deleted.

“The responsibility of making sure the data is protected remains firmly with the company or organisation collecting the data.They must ensure that any such systems have adherence to the Data Protection Act, and therefore the protection of the end user, in mind at every step from design to delivery and ongoing operational use,” he said.

Rizzo said organisations must also ensure that, if the data does need to be collected and stored, that it is protected with strong encryption. 

“Often this is seen as a stumbling block because it has traditionally required extensive customisations to accommodate the use of this encrypted data at every step along the way. 

“Luckily this is no longer an issue with the advent of the new format-preserving encryption standard which greatly simplifies the process of protecting the data throughout its entire lifecycle, and thereby mitigating the risk of privacy breaches and the associated costly fines,” he said.

Read more on Privacy and data protection