BPAS Appeals £200,000 Fine Over Hacked Website

← Back to Stories (view on slashdot.org)

BPAS Appeals £200,000 Fine Over Hacked Website

Posted by Unknown on Friday March 7, 2014 @08:32AM from the check-your-databases dept.

DW100 writes "A UK charity that provides help and guidance for women seeking abortions has been fined £200,000 after a hacker breached its website in 2012 and was able to gather data on 9,900 people that had requested help from the organization. The hacker was given almost three years in jail for the attack. The charity's CEO has condemned the decision, arguing it rewards the hacker for his efforts." The data was unintentionally stored in their CMS after miscommunication with a contractor, and they never performed security audits. Martin S. writes "The BPAS is appealing a £200,000 fine imposed by the ICO after their website was hacked by an Anonymous anti-abortion extremist. The amount is particularly egregious when perpetrators of willful data theft often attract fines of only a few thousand pounds."

104 comments

Min score:

Reason:

Sort:

so they got an anti-abortion judge by Anonymous Coward · 2014-03-07 08:37 · Score: 0, Insightful

lucky them
1. Re:so they got an anti-abortion judge by Jane+Q.+Public · 2014-03-07 09:01 · Score: 2, Insightful
  
  "so they got an anti-abortion judge"
  Trust some AC on Slashdot to try to turn it into a political issue.
  
  It's about time that some of these organizations (including banks and others) who store personal data were held responsible for their lack of security. It has been a real problem.
  
  Let's leave the politics out of it. The organization messed up, resulting in potential harm to the public who used its services. The court wants to hold them responsible for their messup. End of story.
2. Re:so they got an anti-abortion judge by Anonymous Coward · 2014-03-07 09:26 · Score: 2, Insightful
  
  Trust some AC on Slashdot to try to turn it into a political issue.
  This coming from one of the most politically-instigating people on the site.
3. Re:so they got an anti-abortion judge by interkin3tic · 2014-03-07 09:32 · Score: 3, Insightful
  
  Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be. Moreover, the charity itself says it was an anti-abortion activist, and that the ruling rewards the criminal. So it's already political from the summary.
  
  I suppose since we don't read the summary anymore, we may have been able to take it BACK from political. I can see how from the title, one might think it was a bank that was being punished.
4. Re:so they got an anti-abortion judge by sudo · 2014-03-07 09:35 · Score: 4, Insightful
  
  Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity.
  I agree this organization is negligent, but if this ruling is setting a precedent then it should be scrutinized.
  At least, the ICO should demonstrate the fine is consistent with other cases.
5. Re:so they got an anti-abortion judge by Jane+Q.+Public · 2014-03-07 10:03 · Score: 2, Insightful
  
  "Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity."
  Well, I'm not that familiar with UK law, but like the U.S. it is still Common Law tradition.
  
  Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices.
  
  It seems to me that the annual salary of a couple of professionals, who probably ought to be fired anyway, seems about right.
6. Re:so they got an anti-abortion judge by Shimbo · 2014-03-07 11:09 · Score: 1
  
  Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices.
  >
  
  It's less that 1% of their annual turnover, and could easily come out of their senior management's pay. Think that will happen? Me neither.
7. Re:so they got an anti-abortion judge by Anonymous Coward · 2014-03-07 11:11 · Score: 1
  
  Sorry, the anti-abortion issue is very political
  Not in the UK it isn't, outside a few extremists and idiot MP's who insist on introducing Private Member Bills for reading to no-one in particular.
  
  On the flip-side it strikes me that the data that BPAS held was exactly the sort of data an extremist would like to have, and thus they deserve the fine for being idiots.
8. Re:so they got an anti-abortion judge by pjt33 · 2014-03-07 11:16 · Score: 1
  
  UK salaries aren't that high: it's more like the annual salary of about five professionals, and it seems to be about three times their annual "governance" spending according to the summary of their accounts on the Charity Commission website (although since they apparently have the equivalent of 354 full-time employees they must be filing the bulk of their wage bill under "charitable activities"). Perhaps more pertinently, it's about 1% of annual turnover, which is not an unreasonable level to pitch a fine which can't be treated as a cost of "doing business" badly.
9. Re:so they got an anti-abortion judge by SpankiMonki · 2014-03-07 11:44 · Score: 2
  
  It's about time that some of these organizations (including banks and others)...Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices....It seems to me that the annual salary of a couple of professionals, who probably ought to be fired anyway, seems about right.
  I guess "heavy handed" is a relative term, so let's take a look at ICO's BPAS fine vs ICO's bank fine:
  The ICO fined The Royal Bank of Scotland the grand sum of £75,000 in 2013*. The RBS Group had around £18 billion in income during 2012, and the top 2 executives received almost £4 million (excluding stock awards) in compensation. (RBS 2013 Financials)
  The BPAS, on the other hand, had donations of around £27 million in 2013 (0.15% of RBS revenue), and their CEO is thought to earn around £120K (7.5% of RBS CEO pay). Yet they were fined £200,000 (2.67X the RBS fine).
  Dunno. Seems kinda heavy handed to me.
  * only instance of ICO fining a bank that I could find
10. Re:so they got an anti-abortion judge by Anonymous+Brave+Guy · 2014-03-07 12:01 · Score: 1
  
  It's worth noting that the fine for the charity here relates to disclosing personal data about nearly 10,000 individuals, so it worked out around £20 per victim, even though the nature of the breach is obviously quite serious.
  In contrast, the bank released a lot of personal data but only about a much smaller number of individuals (it seems to be only in low double figures looking through the ICO's information more deeply, via a series of careless errors rather than one mass leak) so the fine per individual victim appears to have been much greater here, probably working out to £1,000s per victim.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
11. Re:so they got an anti-abortion judge by SpankiMonki · 2014-03-07 12:22 · Score: 4, Insightful
  
  Absolutely true, but it's also worth pointing out that the charity didn't really disclose anything, they were hacked. In contrast, RBS continued to release financial data via fax for years after it was warned.
12. Re:so they got an anti-abortion judge by Anonymous+Brave+Guy · 2014-03-07 12:48 · Score: 1
  
  It sounds like the hack was only possible because personal data that should never have been anywhere near a public website wasn't properly controlled, so I don't have much sympathy for them on that score.
  As far as being hacked compared to continued careless releases, the latter seems to deserve a harsher penalty, and the fines here do seem to reflect that. Isn't this what we want to happen?
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
13. Re:so they got an anti-abortion judge by Jane+Q.+Public · 2014-03-07 13:03 · Score: 1
  
  "This coming from one of the most politically-instigating people on the site."
  Example?
  
  Please show me where I have tried to "politicize" abortion or other social subject. I certainly do have opinions about them, but I don't think a court should be making decisions based on politics. I would be interested in seeing an example of where you think I might have stated otherwise.
14. Re:so they got an anti-abortion judge by Jane+Q.+Public · 2014-03-07 13:09 · Score: 0
  
  Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be. Moreover, the charity itself says it was an anti-abortion activist, and that the ruling rewards the criminal. So it's already political from the summary.
  What I was referring to was GP inferring that the charity got a "heavy-handed" judgment because of the abortion issue, rather than it simply being a judgment they deserved for being irresponsible with personal information.
  
  It should not matter what the politics of either the charity or the criminal are; judgments are supposed to be apolitical. Saying the judgment was political is trying to inject politics into a legal matter. Do you somehow disagree with that? Or do you just assume that the court's decision was politically motivated?
15. Re:so they got an anti-abortion judge by SpankiMonki · 2014-03-07 13:11 · Score: 1
  It sounds like the hack was only possible because personal data that should never have been anywhere near a public website wasn't properly controlled, so I don't have much sympathy for them on that score.
  Would you be more sympathetic if the data in question was placed on their CMS by a contractor? From TFA:
  
  "When it had contracted an IT company to build its website in 2007, it had decided against storing this data within the CMS, due to security concerns. But this was not properly communicated to the IT company, so the feature was built in anyway. BPAS had no knowledge it was collecting personal data in an unsecured manner.
  
  As far as being hacked compared to continued careless releases, the latter seems to deserve a harsher penalty, and the fines here do seem to reflect that. Isn't this what we want to happen?
  In general, yes. But in this case, no one was actually harmed - because the data in question was never made public. If the ICO fine was in proportion to the damage the BPAS hack caused, the ICO could've simply given a warning (or a token fine). As it is, the only real harm done here is by the ICO.
16. Re:so they got an anti-abortion judge by sumdumass · 2014-03-07 17:14 · Score: 1
  
  Well, from the article summery anyways, the bank is allowed to collect and keep personal information and the charity not only was not supposed to do so, failed to implement any auditing to ensure they were in compliance with the laws concerning personal information.
  I think that right there, failing to even bother checking to see if they were in compliance, is what might have drove the fine up.
17. Re:so they got an anti-abortion judge by Anonymous Coward · 2014-03-07 18:09 · Score: 0
  
  And the charity is saying it was the contractor who was at fault, if this is true, then the contractor should be facing fines, and other penalties, maybe I'm retarded but if your hiring someone to help setup a safe and secure, site/data, and the contractor fails to make sure it is secure or to do proper checks and maintenance, you shouldn't be the only ones to face fines.
  Not pointing fingers but you made it political by your comments, what does that have to do with who is responsible for the site being hacked? That's what I took from the article.
  You allowed the hacker to pay a tiny fine, and spend close to 3 years in prison. But instead of investigating who is responsible for the site being insecure, you just decide to fine the charity? Investigation would require talking to the people from the charity responsible for hiring the contractor, as well as having experts who are familiar with this type of tech, and interviewing the contractor.
  I'm not sure if this really is political on behalf of the government, but it would look that way. If your going to do this for a site, you should be applying this across every site that is hacked.
18. Re:so they got an anti-abortion judge by Anonymous Coward · 2014-03-07 18:17 · Score: 0
  
  I agree, but, they should have set their sights on Target first.
19. Re:so they got an anti-abortion judge by Penguinisto · 2014-03-07 18:39 · Score: 1
  
  Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be.
  I may be wrong on this, but in the US, HIPAA would rule the day on such a case, no? That would mean that 200k Pounds Sterling would be a wee drop in the bucket compared to the fine such an organization would face here should it face a data leak of that magnitude.
  Remove the mission statement of the place... this is confidential patient information, and should be safeguarded as such. If the place demands to be treated as a health facility (even if social), then it has to take the responsibilities along with the benefits.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
20. Re:so they got an anti-abortion judge by cduffy · 2014-03-08 02:46 · Score: 1
  
  I may be wrong on this, but in the US, HIPAA would rule the day on such a case, no? That would mean that 200k Pounds Sterling would be a wee drop in the bucket compared to the fine such an organization would face here should it face a data leak of that magnitude.
  You're making substantial assumptions about what kind of teeth HIPAA has. When I worked at a medical software company -- wherein I was directly responsible for systems handling patient data, went through HIPAA training, and worked directly with our HIPAA compliance officer to determine technical measures -- it was damned near toothless; what we spent hiring said officer and taking said measures was much more than we would have been fined for a single breach. (We wouldn't have been able to sell the system or satisfy investors unless we could pass an audit, so it was the right business decision to make, but much of what our compliance officer told us was how much work we didn't have to do; the actual compliance requirements often fell far short of what I considered best practices).
21. Re:so they got an anti-abortion judge by Lehk228 · 2014-03-08 03:36 · Score: 1
  
  these idiots were storing abortion patient information without adequate security, fuck 'em.
  
  --
  Snowden and Manning are heroes.
22. Re:so they got an anti-abortion judge by Anonymous Coward · 2014-03-10 07:43 · Score: 0
  
  You are retarded. It's the charity's site, they're responsible. There's not much investigation needed. It's not the court's place to hold the contractor responsible for the charity's site. The charity can attempt recovery from the contractor under the terms of their contract. If you're hiring a contractor to work with sensitive material, make sure your contract covers you and audit their work carefully.
"Anonymous anti-abortion extremist" by schwit1 · 2014-03-07 08:39 · Score: 5, Insightful

If the perpetrator was sent to jail how is this 'anonymous'?
How do you know this wasn't a simple extortion for money scheme?
1. Re:"Anonymous anti-abortion extremist" by jythie · 2014-03-07 08:45 · Score: 1
  
  I think they are saying the person was "A"nonymouse, so the self identity. The hacker in question was specifically interested in anti-abortion activism when targeting the site.
2. Re:"Anonymous anti-abortion extremist" by Anonymous Coward · 2014-03-07 08:53 · Score: 0
  
  It was an extortion scheme, whichever idiot wrote the slashdot summary is incorrectly implying a connection to the hacker group Anonymous.
3. Re:"Anonymous anti-abortion extremist" by Anonymous Coward · 2014-03-07 08:53 · Score: 0
  
  I think they are saying the person was "A"nonymouse
  Well it's true, I haven't seen them post in a while....
4. Re:"Anonymous anti-abortion extremist" by sandytaru · 2014-03-07 09:15 · Score: 2
  
  Nope, it's right. The hacker claimed to be part of Anonymous.. Which is kind of odd, most of the time they do vigilante justice on organizations that actually deserve it, like Scientology.
  
  --
  Occasionally living proof of the Ballmer peak.
5. Re:"Anonymous anti-abortion extremist" by wagnerrp · 2014-03-07 09:36 · Score: 2
  
  You say "they" as if they are some kind of coherent organization with enrollment.
6. Re:"Anonymous anti-abortion extremist" by sandytaru · 2014-03-07 10:04 · Score: 1
  
  Good point. I am thinking specifically of two Anonymous members/affiliates/4chan trolls I know in real life, who wouldn't give a rat's ass about that issue. But this is the Internet, of course, and smart people can get irrational about the weirdest things. (Well, not so smart, if he got caught.)
  
  --
  Occasionally living proof of the Ballmer peak.
7. Re:"Anonymous anti-abortion extremist" by Anonymous Coward · 2014-03-07 10:13 · Score: 0
  
  You say "they" as if they are some kind of coherent organization with enrollment.
  Lol wut? One *might* be able to draw that conclusion if GP said "it does" instead of "they do". His use of "they" is entirely correct. Learn some fucking English.
8. Re:"Anonymous anti-abortion extremist" by wagnerrp · 2014-03-07 11:33 · Score: 1
  
  There is no "they", as there is no organized entity or group for "they" to refer to. There are only individuals who happen to carry the moniker for a specific event.
9. Re:"Anonymous anti-abortion extremist" by Anonymous Coward · 2014-03-07 12:07 · Score: 0
  
  There is no "they", as there is no There is no "they", as there is no organized entity or group for "they" to refer to. or group for "they" to refer to. There are only individuals who happen to carry the moniker for a specific event.
  they (pronoun)
  "used to refer to two or more people or things previously mentioned or easily identified."
  See how there's ZERO requirement in the definition of "they" to refer to a organized entity? But by all means, continue trying to be right. It'll be fun watching you make a bigger fool of yourself.
10. Re:"Anonymous anti-abortion extremist" by wagnerrp · 2014-03-07 12:34 · Score: 1
  
  How do you easily identify Anonymous?
11. Re:"Anonymous anti-abortion extremist" by Anonymous Coward · 2014-03-07 12:50 · Score: 0
  
  How do you easily identify Anonymous?
  LOL. Here, let me help you. Remember the first part of the definition for "they"? I'll bold it for you:
  "used to refer to two or more people or things previously mentioned or easily identified."
  With me so far? OK, now look at the word immediately following the bolded part of the definition above. That word is "or". "Or" is a word used to connect words, phrases, or clauses representing alternatives. Al-ter-na-tives. (alternatives means "the choice between two mutually exclusive possibilities.
12. Re:"Anonymous anti-abortion extremist" by wagnerrp · 2014-03-07 13:23 · Score: 1
  
  So then name two people who are in Anonymous. Presumably non-Human "things" cannot be in it.
13. Re:"Anonymous anti-abortion extremist" by Anonymous Coward · 2014-03-07 15:35 · Score: 0
  
  You look up here ^
  It's the word that comes before "Coward".
14. Re:"Anonymous anti-abortion extremist" by Anonymous Coward · 2014-03-07 15:43 · Score: 0
  
  So then name two people who are in Anonymous. Presumably non-Human "things" cannot be in it.
  HAR! Is that all you gots? OK, how about Dmitriy Guzner and Chris Doyon? They were arrested in the US.
  See how I used the word "they"in the last sentence above to refer to two or more people mentioned in the previous sentence? See how the word "they" doesn't have to mean "organized entity"? I bet you don't see, do you?
  No matter, bring it on! I'll be up all night.
15. Re:"Anonymous anti-abortion extremist" by Anonymous Coward · 2014-03-07 16:06 · Score: 0
  
  Here's some more:
  Anonymous has lots of members; they are legion!
  Anonymous uses computers, and they might have keyboards.
  Talk to some primary school teachers...they might be able to instruct you on the proper use of pronouns!
16. Re:"Anonymous anti-abortion extremist" by wagnerrp · 2014-03-07 17:53 · Score: 1
  
  And other than their own claim, what makes them members of Anonymous?
17. Re:"Anonymous anti-abortion extremist" by Anonymous Coward · 2014-03-08 01:35 · Score: 0
  
  They don't have to be members of Anonymous in order to use the word "they" to properly refer to them.
  Pronouns FTW!
18. Re:"Anonymous anti-abortion extremist" by wagnerrp · 2014-03-08 03:10 · Score: 1
  
  But then "they" is referring to those specific people, not to Anonymous.
19. Re:"Anonymous anti-abortion extremist" by Anonymous Coward · 2014-03-08 03:20 · Score: 0
  
  I don't understand. Who are you referring to with that strange word "those"?
20. Re:"Anonymous anti-abortion extremist" by wagnerrp · 2014-03-08 06:07 · Score: 1
  
  Apparently two internet dorks arrested in the US.
21. Re:"Anonymous anti-abortion extremist" by Anonymous Coward · 2014-03-08 07:06 · Score: 0
  
  Apparently those dorks were members of an organized entity. By your logic, If they weren't, you shouldn't have used the word "those" to refer to them.
  What say you now?!?
hmmm by ganjadude · 2014-03-07 08:40 · Score: 2

Well I mean there do need to be penalties for companies not storing customer data correctly, especially in the medical field. Im not versed enough on abortion cliniques to know if 200K is justified or not but they should get some sort of fine no questions

--
have you seen my sig? there are many others like it but none that are the same
1. Re:hmmm by Xest · 2014-03-07 08:50 · Score: 5, Insightful
  
  A better solution would have been to not fine the organisation but to use the clause of the data protection act that allows individuals to be held responsible and fine the contractor for being so negligent as to store personal data insecurely and anyone at the organisation who allowed it.
2. Re:hmmm by Anonymous Coward · 2014-03-07 08:52 · Score: 0
  
  I think the point is that willful data theft has been garnering fines to the tune of thousands-of-pounds, not hundreds-of-thousands.
  The message, then, is that "it's not culturally viable to oppose abortion. Capisce?"
3. Re:hmmm by jythie · 2014-03-07 08:55 · Score: 1
  
  That was my thought too. This is not exactly a tech savvy organization that did a lot of in house work. If this is not sorted out it could set a worrying precedent that hacking groups that have limited resources can really hurt them, esp since even well funded ones are rarely able to fend off a dedicated attacker with a profit motive or agenda.
4. Re:hmmm by Fallen+Kell · 2014-03-07 09:03 · Score: 1
  
  This isn't about the hacking groups being able to hurt anyone. It is about doing proper security and handling of personal information. The data was being stored improperly, end of the discussion. It doesn't matter if a hacker group then hacked the website or not and discovered the data and stole it. The data should never have been there to begin with for the hackers to get to, and that is the problem. However, doing things "right" costs money. Businesses and organizations need to know that cutting corners with personal information will not be tolerated, and heavily fined, so much so that it is cheaper to do the work correctly than it is to not do it correctly and pay the fines.
  
  --
  We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
5. Re:hmmm by RobinH · 2014-03-07 09:09 · Score: 1
  
  We can't allow some beret-wearing-mac-toting hipster web site developer to be held responsible, now can we? Actually, all jesting aside, it's right to hold the organization accountable, and possibly key people at the organization if it can be shown that they didn't fulfill their duty (and clearly someone didn't). The contractor is almost never responsible legally in this case, though if the contract demanded that the software do something and it didn't do it, then the organization may be able to sue for breach of contract.
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
6. Re:hmmm by mjwalshe · 2014-03-07 09:19 · Score: 2
  
  Unfortunately charitys in the UK collectively need this wakeup call - I worked on a few charity projects and we where certain that at least one of our clients -one of the Huge uk charities - was completely ignoring some of the rules on handling bank and CC details.
  
  Its hard but the charity needs to merge with another in the field and start taking its computer security seriously.
7. Re:hmmm by sandytaru · 2014-03-07 09:20 · Score: 2
  
  That's the problem with out-sourcing to the experts without hiring an expert of your own in-house to verify that it was being done right. If there was an internal guy who was tasked with verifying the architecture and the security of the work, make him the scapegoat - but the fact that they're just trying to fine the organization outright is a clue to me that the didn't have an internal resource in place when they should have.
  
  --
  Occasionally living proof of the Ballmer peak.
8. Re:hmmm by wagnerrp · 2014-03-07 09:47 · Score: 1
  
  "Doing things right" is an incredibly nebulous statement that nearly no judge should be in a position to determine. Hell, even plenty of so-called experts don't know the right way to do things. If the security industry at large actually knew what they were doing, websites wouldn't be instituting such asinine password rules, and my own employer wouldn't have recently cited "industry standard practice" as a reason for requiring I include special characters in my domain password.
9. Re:hmmm by Anonymous Coward · 2014-03-07 10:06 · Score: 0
  
  I think the point is that willful data theft has been garnering fines to the tune of thousands-of-pounds, not hundreds-of-thousands.
  Theft of how many records? Of what value? The "wilful data theft" link gives no indication of how many peoples' personal information was stolen, nor what nature that personal information took.
  What we do know about the charity case is that there were almost ten thousand records of patients of a highly controversial practice, whose lives may be put in danger by that information getting into extremist hands - which is exactly what happened.
10. Re:hmmm by lgw · 2014-03-07 10:21 · Score: 1
  
  Not being tech savvy is no excuse. Hire a contractor to do the work, then pay for a security audit from a different firm. That's all that's required.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
11. Re:hmmm by Fallen+Kell · 2014-03-07 11:07 · Score: 1
  
  If the security industry at large actually knew what they were doing, websites wouldn't be instituting such asinine password rules, and my own employer wouldn't have recently cited "industry standard practice" as a reason for requiring I include special characters in my domain password.
  But the security industry does know what they are doing. The "industry standard practice" for special characters is to limit the ability of a brute force attack of your password. By requiring a special character, they increased the search space needed to find the password. For an 8 character length password requiring lower case letters, there are 8*26 possible passwords. Add upper case letters, and there are 8*52 possible passwords. Add numbers and there are 8*62 possible passwords. Add special characters and there are 8*94 possible passwords. This requirement fights a specific type of attack vector.
  Are there other attack vectors? Sure, and they too have their own security rules to mitigate the chances of a successful attack.
  
  --
  We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
12. Re:hmmm by wagnerrp · 2014-03-07 11:42 · Score: 1
  
  That argument only holds true if passwords were actually randomly generated. Humans are incapable of intentionally generating entropy. If forced to add a capital letter to a password, users will most likely place a single capital at the beginning or end. Numbers and special characters will replace similar looking letters. Passwords will still be based off dictionary words. The effective increase in entropy produced by such requirements is many orders of magnitude less than what the increased keyspace would otherwise suggest. The minor increase in the difficulty to brute force the passwords is more than offset by the significant increase in the difficulty to remember, and more importantly, type, those passwords. You're much better off just requiring a few more characters.
13. Re:hmmm by Shimbo · 2014-03-07 12:01 · Score: 1
  
  Doing things right" is an incredibly nebulous statement that nearly no judge should be in a position to determine.
  The principles are in Schedule 1 of the DPA
14. Re:hmmm by rtb61 · 2014-03-07 13:43 · Score: 1
  
  Still it is a charity as such the judge should take that into account. It is not fining the charity it is fining those who get assisted by the charity by denying them services and it is fining those who contribute to the charity by asking them to handover money to the government instead of the charity and the people that charity assists.
  So the judge needs to step back and consider what he is doing in reality. Hmm, this really does stink of an anti-abortion judge doing their bit.
  
  --
  Chaos - everything, everywhere, everywhen
15. Re:hmmm by Anonymous Coward · 2014-03-07 20:24 · Score: 0
  
  It can be difficult for a contractor to convince a client that a certain task needs to be performed, especially if that task takes extra time/money. Often, the client doesn't understand and doesn't care to understand. Some are actively hostile to understanding, especially when it affects the bottom line. The business sphere is no stranger to anti-intellectualism.
  So, the contractor has two choices. They can refuse to continue, which results in: the client seeing it as a breach of contract; all kinds of payment problems, ill will, and legal issues; and the hiring of someone who will do it. Or, they can follow instructions, hope it doesn't become an issue, and get paid. It sucks but diligence is often punished.
16. Re:hmmm by mikechant · 2014-03-08 02:39 · Score: 1
  
  What we do know about the charity case is that there were almost ten thousand records of patients of a highly controversial practice
  It's not 'highly controversial' in the UK, where this happened (unlike the US).
17. Re:hmmm by VoiceOfDoom · 2014-03-08 06:21 · Score: 1
  
  That clause only applies to criminal offences under the Data Protection Act. This was a Civil Monetary Penalty which the ICO has levied for a breach of the 7th Principle.
  Breaching the Principles is not in itself a crime (hence "Civil" Monetary Penalty). There are crimes under DPA, for example unlawfully obtaining personal data.
  The charity *should* have contracts in place with the website provider that allow them to recover the cost of the fine on the basis that the contractor didn't do the job properly......bet they don't though.
  
  --
  "Life is pain Highness. Anyone who says otherwise is selling something"
  Westly, The Princess Bride
Low hanging fruit... by Anonymous Coward · 2014-03-07 08:41 · Score: 1, Insightful

If this were a for-profit corporation, this verdict would have never been tried, much less decided on. The target was easy and fairly defenseless.
1. Re:Low hanging fruit... by jythie · 2014-03-07 08:48 · Score: 1
  
  That is my thought. Non-profits like this generally depend on the contractors to have done their job right since their limited resources tend to be focused on their mission.
2. Re:Low hanging fruit... by mjwalshe · 2014-03-07 09:22 · Score: 1
  
  Unlikely Charitys get a lot of slack in the UK there are no overzelous elected prosecutors trying to get headlines to further his political career. Charitys are notorious for bad hr issues.
3. Re:Low hanging fruit... by sudo · 2014-03-07 09:38 · Score: 1
  
  Actually a lot of charities use volunteers.
  This will need to change if they intend to store extended user databases
4. Re:Low hanging fruit... by jimicus · 2014-03-07 09:55 · Score: 5, Informative
  
  That's not how ICO fines work.
  The way they work is this: If you suffer a data breach that the ICO hears off, they'll investigate.
  Once the investigation is complete, they'll do a few things:
  1. Write a beautifully-worded press release explaining exactly what you did wrong and put it on the news wires.
  2. Write an equally beautifully-worded report explaining what you did wrong in explicit detail.
  3. Issue a thumping great fine.
  It's important to note that they don't have to take an organisation to court to raise this fine. It's the other way around - if your organisation gets fined, it's down to you to raise an appeal.
5. Re:Low hanging fruit... by Antony+T+Curtis · 2014-03-07 18:13 · Score: 1
  
  That's not how ICO fines work.
  The way they work is this: If you suffer a data breach that the ICO hears off, they'll investigate.
  Once the investigation is complete, they'll do a few things:
  1. Write a beautifully-worded press release explaining exactly what you did wrong and put it on the news wires.
  2. Write an equally beautifully-worded report explaining what you did wrong in explicit detail.
  3. Issue a thumping great fine.
  It's important to note that they don't have to take an organisation to court to raise this fine. It's the other way around - if your organisation gets fined, it's down to you to raise an appeal.
  Parent posting needs to be modded up.
  
  --
  No sig. Move along - nothing to see here.
6. Re:Low hanging fruit... by jimicus · 2014-03-07 20:15 · Score: 1
  
  Replying to myself, but.... £200,000 is a pretty big fine by ICO standards.
  Reading the report, it seems that while the BPAS did everything right once the breach was discovered, the circumstances that led to it happening in the first place were caused by pretty blatant incompetence. They knew (or should have known) that the details of people who wanted to use their services would be confidential information, they sacked the firm that built the website over concerns for their ability but they kept the site without ever auditing it.
  The fine isn't just based on how flagrant the data breach was, it's also based on how much the organisation being fined can afford without causing undue hardship.
  I'm not surprised the CEO wants to appeal the fine. The circumstances that led to it suggest gross incompetence at several levels; if she doesn't appeal or the appeal is unsuccessful, I imagine her job is on the line.
No Sympathy by TechyImmigrant · 2014-03-07 08:47 · Score: 5, Insightful

I have no sympathy. They need to be required to pay the fine so everyone else who handles personal data gets the message that you don't handle it negligently.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
1. Re:No Sympathy by Fallen+Kell · 2014-03-07 08:58 · Score: 5, Insightful
  
  I agree entirely. And the fine needs to be high enough that it is cheaper to do the work properly than it is to risk not doing it and simply paying the costs of the fine.
  
  --
  We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
2. Re:No Sympathy by interkin3tic · 2014-03-07 09:29 · Score: 1
  
  Why so black and white? Your brain should be able to handle sympathy while at the same time thinking they should be required to pay the fine.
  
  At the very least, realize that the people who are going to be paying the price here aren't people who said "Hey, know what? FUCK PRIVACY! HAHAHAHAHAHA!"
3. Re:No Sympathy by Anonymous Coward · 2014-03-07 09:33 · Score: 1
  
  So if you have some repairs done on your bike or car, and you don't self-certify that the car / bike is in perfect working order and you go careening through an intersection killing 3 children, you will be held responsible for your lack of verifying that all repairs were completed properly.
  Gotcha, can't wait to see you executed for that bub.
  A contractor is responsible for their work - that's why they have to carry insurance for errors / omissions.
  If the Charity said "make sure it's secure" but had no one on staff to validate that, then it's no different from your local mechanic fudging the work causing your brakes to fail and you get sent to prison for life or get executed for murdering innocent children.
  K, now that we're all clear on this, the Judge needs to pull their head out of their ass and re-assign the fine to the contractor, end of story.
4. Re:No Sympathy by Anonymous Coward · 2014-03-07 09:39 · Score: 0
  
  Why so black and white?
  
  Because justice should be blind and it should not matter whether it is a little old white woman or a teenage black male.
5. Re:No Sympathy by Anonymous Coward · 2014-03-07 10:16 · Score: 1
  
  K, now that we're all clear on this, the Judge needs to pull their head out of their ass and re-assign the fine to the contractor, end of story.
  The charity was the organisation registered as a data controller. It was their responsibility to ensure the security of the data. It was their responsibility to define the requirements of the system comprehensively. It was their responsibility to make sure the contractor did the job correctly. They failed in their responsibility, and now face the consequences.
  This is how the law works.
6. Re:No Sympathy by Anonymous Coward · 2014-03-07 11:42 · Score: 1
  
  If the Charity said "make sure it's secure" but had no one on staff to validate that, then it's no different from your local mechanic fudging the work causing your brakes to fail and you get sent to prison for life or get executed for murdering innocent children.
  K, now that we're all clear on this, the Judge needs to pull their head out of their ass and re-assign the fine to the contractor, end of story.
  No, YOU need to pull your head out of YOUR ass and understand it was the charity that had the legal responsibility for the data, not the contractor. If the charity doesn't have someone on hand competent to audit the security of their web presence, they need to go back to accepting mail-in/phone-in donations - not having the proper staff in place is no reason for them not to be held responsible for the breach. The charity was fined, and rightly so, and will now sue the contractor for the appropriate amount.
7. Re:No Sympathy by TechyImmigrant · 2014-03-09 06:11 · Score: 1
  
  Because this was the UK, where the terms of the data protection act are well understood. Ignorance of that is no more excusable than ignorance of tax law, or speed limits.
  They had plenty of non technical choices to protect the data. They could have kept it on paper in a locked room. They could have kept the computers off the internet. They could have kept the data in excel tables on USB sticks. They could have hired a consultant who specializes in data protection compliance. There are no shortage of them.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Fine may be too large by Anonymous Coward · 2014-03-07 08:59 · Score: 0

This was a big mistake, especially considering the danger from some extremist anti-abortion people, but this seems like an overly large fine against a charity.
Ignorance is no excuse, of course, but I'm sure they didn't intentionally leave that vulnerability. They hired the wrong people, didn't give enough oversight, and it lead to the potential harm against their clients/petitioners and great financial harm against themselves. (and, by extension, the people who funded their efforts who will have a good portion of their charitable funds go to waste due to mismanagement and this fine)
Excessive fine, but rewards the 'hacker' how? by Anonymous Coward · 2014-03-07 09:13 · Score: 0

I'm pretty sure the 'hacker' would rather not have been sent to prison. Sometimes we need to take *some* responsibility even if a government is being excessive in its condemnation and punishment. It seems that maybe there aught to be some liability on the part of the contractor... maybe. I'm a little leery on that only because for that to be true there should be significant increases in the amounts charged, a contract that stipulates it in F'ing bold and clearly shows that additional payment for such guarantees. And after all that there should be some company insuring it in the event of a security lapse. Ultimately a contract stating this should have been the liability of the company/CEO and his duty to have gotten an insurance policy in the event of a lapse. Any failure in that deservedly should come from his paycheck (though, if its a non-profit, at a reduced liability, provided the non-profits in the UK are the same as in the US, whereby employees get sub-standard pay compared to the commercial companies they could be working for).
1. Re:Excessive fine, but rewards the 'hacker' how? by mjwalshe · 2014-03-07 09:24 · Score: 1
  
  And I woudl not be surprised in the Security Service have not got him on file now as there are worries about ultra anti abortionists coming over from the USA to here
£200k fine is a pittance by Anonymous Coward · 2014-03-07 09:19 · Score: 0

that's only about £20 per victim of the attack. I think £1,000-£10,000 per victim is more reasonable. There is no reason in this day and age for any company to not have their data properly secured.
1. Re:£200k fine is a pittance by sudo · 2014-03-07 09:36 · Score: 1
  
  I can see a new lucrative industry in hacking/extortion on the horizon.
How far do these laws go? by BitterOak · 2014-03-07 09:23 · Score: 5, Insightful

This wasn't a corporate site nor was it a medical services site. This was a non-profit charitable organization. Suppose I set up a website of my own, not for profit, in which I provide information on where to get an abortion. Suppose I don't secure my web server enough and a hacker gets a copy of my access.log files and is thus able to determine who visited my site and suppose they publish that information. Would I be subject to big fines as well? What if it was a website about some other subject like building model trains? I understand in this case the hackers probably got more than just IP addresses, but where exactly is the line drawn? Is anyone who has a website in danger of running afoul of these laws?

--
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
1. Re:How far do these laws go? by hawkinspeter · 2014-03-07 09:50 · Score: 5, Insightful
  
  As far as I know, the line is drawn when you start storing personal data. They were keeping the name, address, date of birth and telephone number of people who were looking for advice and they weren't keeping it securely. A typical web server won't be storing anything more than IP addresses and browser types so you won't get into trouble for storing personal data without following the relevant laws.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
2. Re:How far do these laws go? by eionmac · 2014-03-08 05:49 · Score: 1
  
  In UK these laws apply to all 'personal data' , even in written form inside your organisation, all personal data must be securely held.
  Thus membership list etc should be kept in a safe or locked cupboard in locked premises if in written form and in secured electronic form if on a database or website. No if, No buts! Germany is the toughest on data protection.
  
  --
  Regards Eion MacDonald
The law doesn't necessarily see sense by Anonymous Coward · 2014-03-07 09:27 · Score: 0

In the case of the data protection act, inappropriate disclosure of data is a strict liability offence. Just because an instituition or person subcontracted it out and the contractor and the contractor was negligent is neither a defence nor a mitigating factor. The holder of the data takes absolute responsibility for its safe keeping, and this responsibility cannot be waived.
As a case in point, one hospital needed to dispose of some old servers. They contacted a data destruction contractor with experience of high security data disposal. However, a new hire at the contractor stole the drives, issued fake certificates of destruction. The drives subsequently turn up on eBay with data intact. Hospital guilty, fined £400k for failing to supervise the contractor.
1. Re:The law doesn't necessarily see sense by Xest · 2014-03-07 21:01 · Score: 1
  
  You're right, but the fine is entirely down to the ICO. Remember the ACS: Law guy who was chasing file sharers over porn on bittorrent and left a list of his accused on his website for all to download stating personal information and associating their names width different flavours of porn?
  He was fined a pathetic Â£1000 because the ICO didn't want him to endure the hardship of potentially losing his $1million house simply because the guy provided a "sworn statement" that he couldn't pay a higher fine even though he blatantly could.
  There also seems to be a lot of picking and choosing about holding individuals liable - i.e. it seems to never happen even though the Data Protection Act explicitly allows for that.
What I don't like by shentino · 2014-03-07 09:30 · Score: 1

Is that they're fining a non profit organization supported by donations.
If this was a business I would see more sense, but somehow fining charities doesn't sit well with me.
1. Re:What I don't like by frisket · 2014-03-07 09:36 · Score: 1
  
  I have the same slight sense of unease because they're a charity doing important work, but the people responsible (the individual[s] and their management) have to be taught a lesson they won't forget. Perhaps naming and shaming them is more appropriate.
bogus comparison by cas2000 · 2014-03-07 09:46 · Score: 2

The amount is particularly egregious when perpetrators of willful data theft often attract fines of only a few thousand pounds."
This is nonsense. "data theft" and "failure to secure personal data" are two completely different crimes - it's perfectly normal for different crimes to have different penalties.....and failing to secure the personal details of 9900 patients is a far more serious crime than breaking into a computer and copying files.
Only a few thousand # by Anonymous Coward · 2014-03-07 09:51 · Score: 0

... and jail time.
You are a charity, ask for people to donate to help out.
Local context by Anonymous Coward · 2014-03-07 09:57 · Score: 1

Many thousands of women from the Republic of Ireland have to travel to the UK in order to get a safe abortion, as abortions are virtually illegal in Ireland. What makes this particularly serious is that Ireland has moved towards making it illegal for Irish citizens to have an abortion anywhere in the world; and so if this information had leaked then thousands of women could have become liable for prosecution or at least investigation.
Rewards the hacker by Anonymous Coward · 2014-03-07 10:08 · Score: 0

I find this outcome incredibly offensive. The hacker is probably so radically anti-abortion that he doesn't give a shit about his fine or jail-time. All this really does is damage the charity, which was probably his goal in the first place: to get them fined for not securing data. And, as has already been mentioned, the charity probably isn't even responsible for the data breach. All the work was probably contracted out. Besides, if Stratfor and Sony and damn near everyone else can't securely store data, what makes you think this charity magically can?
All of our systems are hackable. Everyone is vulnerable to an advanced persistent threat.
1. Re:Rewards the hacker by timmyf2371 · 2014-03-07 13:29 · Score: 2
  
  In this situation, the organisation was not merely unlucky. The data was not stored securely at all and this was made worse by the fact that they had not carried out a proper assessment of the data storage techniques. The DPA is very strict and rightly so - it is our personal information which is at risk here.
  All too often there are stories of charitable organisations cutting corners and thinking they can get away with it. This fine is a message that organisations, regardless of purpose, will be treated equally in the eyes of the law.
  What I find incredibly offensive is that the charity's CEO didn't even apologise to the 10,000 innocent victims whose data was lost as a result of his organisation's failings. Instead he is trying to shift the attention onto the ICO and try to portray themselves as victims.
  
  --
  
  Backup not found: (A)bort (R)etry (P)anic
2. Re:Rewards the hacker by Shimbo · 2014-03-07 20:07 · Score: 2
  
  What I find incredibly offensive is that the charity's CEO didn't even apologise to the 10,000 innocent victims whose data was lost as a result of his organisation's failings. Instead he is trying to shift the attention onto the ICO and try to portray themselves as victims.
  In all probablility burning tens of thousands pounds more of the charity's money in the process. If they do actually go to appeal, rather than just saying it in the heat of the moment. It's a she, by the way.
  To be fair, they are victims in the sense that if they didn't get hacked, they might have got away with their negligence but that is often true. It's rather like blaming the guy that pulled out in front of you when you were drunk driving.
Rewards the hacker. by ThisIsNotAName · 2014-03-07 10:13 · Score: 2

I find this outcome incredibly offensive. The hacker is probably so radically anti-abortion that he doesn't give a shit about his fine or jail-time. All this really does is damage the charity, which was probably his goal in the first place: to get them fined for not securing data. And, as has already been mentioned, the charity probably isn't even responsible for the data breach. All the work was probably contracted out. Besides, if Stratfor and Sony and damn near everyone else can't securely store data, what makes you think this charity magically can?
All of our systems are hackable. Everyone is vulnerable to an advanced persistent threat.
Anonymous not anonymous by Martin+Spamer · 2014-03-07 10:53 · Score: 1

Anonymous because
1) 'James Jeffery' defaced the the site with Anonymous logo and anti-abortion rhetoric.
2) Posted claim on @Anonymous on twitter
3) Was 'Ratted Out' by FBI informant Sabu.
Hacker Makes Anonymous Look Like Assholes By Attacking Abortion Provider In Their Name
The nature of responsibility by Martin+Spamer · 2014-03-07 11:30 · Score: 2

If fact the negligence in this case was the fault of an external IT contractor who stored the captured data on the website CMS, after the requirements has been change to specifically exclude this feature because of security concerns. However the DPA doesn't take this into account. Data loss is an absolute offence, no negligence is necessary. If the organisation loses the data they are guilty.
The size of the fine is not a reflection of the degree of negligence but a result of the damage done . In this case very serious damage because the extremely sensitive nature of the data and who was able to access it.
1. Re:The nature of responsibility by whoever57 · 2014-03-07 13:02 · Score: 1
  
  If fact the negligence in this case was the fault of an external IT contractor who stored the captured data on the website CMS, after the requirements has been change to specifically exclude this feature because of security concerns. However the DPA doesn't take this into account. Data loss is an absolute offence, no negligence is necessary. If the organisation loses the data they are guilty.
  If you are correct, then the BPAS should be able to sue the contractor, since it was the contractor's sole fault that the data was stored.
  
  --
  The real "Libtards" are the Libertarians!
Warning Slashdot Beta Has major security issues by Anonymous Coward · 2014-03-07 12:33 · Score: 0

It is rather trivial to extract the user database of slashdot through the beta front end. I am about to sue slashdot for 1 billion dollars for emotional harm caused by the release of my personal information that I found on numerous file sharing sites.
Yes, let banks reduce security, and blame robbers by Anonymous Coward · 2014-03-07 12:45 · Score: 0

Your bank wastes so much money on security to keep your money safe. Why the hell should the bank spend penny one, when if it is robbed, the fault lies entirely with the criminals responsible?
Is that fair? Is that right? Without crime there would be no need for security, so use 'punishment' of the criminal as a 100% substitute for the concept of 'security'.
I'm a BETA, dribble dribble. I sat through endless hours of High School, that taught me all about 'critical thinking', dribble. This argument by the abortion charity makes perfect sense, dribble, dribble. I mean, it just follows from any reasonable analysis of the facts, dribble. That's why the owners of Slashdot are pushing this propaganda here, dribble. To help us push for a better way, dribble, dribble. I mean, you either on the side of the operators of websites, or you are on the side of the hackers, dribble, dribble, dribble, dribble.
How DUMB do the owners of Slashdot think YOU are?
this odd by Anonymous Coward · 2014-03-08 01:04 · Score: 0

beta or not ...
there's no https to "http://ico.org.uk"?