Slashdot Mirror
BPAS Appeals £200,000 Fine Over Hacked Website
DW100 writes "A UK charity that provides help and guidance for women seeking abortions has been fined £200,000 after a hacker breached its website in 2012 and was able to gather data on 9,900 people that had requested help from the organization. The hacker was given almost three years in jail for the attack. The charity's CEO has condemned the decision, arguing it rewards the hacker for his efforts."
The data was unintentionally stored in their CMS after miscommunication with a contractor, and they never performed security audits. Martin S. writes "The BPAS is appealing a £200,000 fine imposed by the ICO after their website was hacked by an Anonymous anti-abortion extremist. The amount is particularly egregious when perpetrators of willful data theft often attract fines of only a few thousand pounds."
If the perpetrator was sent to jail how is this 'anonymous'?
How do you know this wasn't a simple extortion for money scheme?
Well I mean there do need to be penalties for companies not storing customer data correctly, especially in the medical field. Im not versed enough on abortion cliniques to know if 200K is justified or not but they should get some sort of fine no questions
have you seen my sig? there are many others like it but none that are the same
If this were a for-profit corporation, this verdict would have never been tried, much less decided on. The target was easy and fairly defenseless.
I have no sympathy. They need to be required to pay the fine so everyone else who handles personal data gets the message that you don't handle it negligently.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
"so they got an anti-abortion judge"
Trust some AC on Slashdot to try to turn it into a political issue.
It's about time that some of these organizations (including banks and others) who store personal data were held responsible for their lack of security. It has been a real problem.
Let's leave the politics out of it. The organization messed up, resulting in potential harm to the public who used its services. The court wants to hold them responsible for their messup. End of story.
This wasn't a corporate site nor was it a medical services site. This was a non-profit charitable organization. Suppose I set up a website of my own, not for profit, in which I provide information on where to get an abortion. Suppose I don't secure my web server enough and a hacker gets a copy of my access.log files and is thus able to determine who visited my site and suppose they publish that information. Would I be subject to big fines as well? What if it was a website about some other subject like building model trains? I understand in this case the hackers probably got more than just IP addresses, but where exactly is the line drawn? Is anyone who has a website in danger of running afoul of these laws?
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
And I woudl not be surprised in the Security Service have not got him on file now as there are worries about ultra anti abortionists coming over from the USA to here
Trust some AC on Slashdot to try to turn it into a political issue.
This coming from one of the most politically-instigating people on the site.
Is that they're fining a non profit organization supported by donations.
If this was a business I would see more sense, but somehow fining charities doesn't sit well with me.
Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be. Moreover, the charity itself says it was an anti-abortion activist, and that the ruling rewards the criminal. So it's already political from the summary.
I suppose since we don't read the summary anymore, we may have been able to take it BACK from political. I can see how from the title, one might think it was a bank that was being punished.
Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity.
I agree this organization is negligent, but if this ruling is setting a precedent then it should be scrutinized.
At least, the ICO should demonstrate the fine is consistent with other cases.
I can see a new lucrative industry in hacking/extortion on the horizon.
This is nonsense. "data theft" and "failure to secure personal data" are two completely different crimes - it's perfectly normal for different crimes to have different penalties.....and failing to secure the personal details of 9900 patients is a far more serious crime than breaking into a computer and copying files.
Many thousands of women from the Republic of Ireland have to travel to the UK in order to get a safe abortion, as abortions are virtually illegal in Ireland. What makes this particularly serious is that Ireland has moved towards making it illegal for Irish citizens to have an abortion anywhere in the world; and so if this information had leaked then thousands of women could have become liable for prosecution or at least investigation.
"Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity."
Well, I'm not that familiar with UK law, but like the U.S. it is still Common Law tradition.
Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices.
It seems to me that the annual salary of a couple of professionals, who probably ought to be fired anyway, seems about right.
I find this outcome incredibly offensive. The hacker is probably so radically anti-abortion that he doesn't give a shit about his fine or jail-time. All this really does is damage the charity, which was probably his goal in the first place: to get them fined for not securing data. And, as has already been mentioned, the charity probably isn't even responsible for the data breach. All the work was probably contracted out. Besides, if Stratfor and Sony and damn near everyone else can't securely store data, what makes you think this charity magically can?
All of our systems are hackable. Everyone is vulnerable to an advanced persistent threat.
Anonymous because
1) 'James Jeffery' defaced the the site with Anonymous logo and anti-abortion rhetoric.
2) Posted claim on @Anonymous on twitter
3) Was 'Ratted Out' by FBI informant Sabu.
Hacker Makes Anonymous Look Like Assholes By Attacking Abortion Provider In Their Name
Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices.
>
It's less that 1% of their annual turnover, and could easily come out of their senior management's pay. Think that will happen? Me neither.
Not in the UK it isn't, outside a few extremists and idiot MP's who insist on introducing Private Member Bills for reading to no-one in particular.
On the flip-side it strikes me that the data that BPAS held was exactly the sort of data an extremist would like to have, and thus they deserve the fine for being idiots.
UK salaries aren't that high: it's more like the annual salary of about five professionals, and it seems to be about three times their annual "governance" spending according to the summary of their accounts on the Charity Commission website (although since they apparently have the equivalent of 354 full-time employees they must be filing the bulk of their wage bill under "charitable activities"). Perhaps more pertinently, it's about 1% of annual turnover, which is not an unreasonable level to pitch a fine which can't be treated as a cost of "doing business" badly.
If fact the negligence in this case was the fault of an external IT contractor who stored the captured data on the website CMS, after the requirements has been change to specifically exclude this feature because of security concerns. However the DPA doesn't take this into account. Data loss is an absolute offence, no negligence is necessary. If the organisation loses the data they are guilty.
The size of the fine is not a reflection of the degree of negligence but a result of the damage done . In this case very serious damage because the extremely sensitive nature of the data and who was able to access it.
It's about time that some of these organizations (including banks and others)...Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices....It seems to me that the annual salary of a couple of professionals, who probably ought to be fired anyway, seems about right.
I guess "heavy handed" is a relative term, so let's take a look at ICO's BPAS fine vs ICO's bank fine:
The ICO fined The Royal Bank of Scotland the grand sum of £75,000 in 2013*. The RBS Group had around £18 billion in income during 2012, and the top 2 executives received almost £4 million (excluding stock awards) in compensation. (RBS 2013 Financials)
The BPAS, on the other hand, had donations of around £27 million in 2013 (0.15% of RBS revenue), and their CEO is thought to earn around £120K (7.5% of RBS CEO pay). Yet they were fined £200,000 (2.67X the RBS fine).
Dunno. Seems kinda heavy handed to me.
* only instance of ICO fining a bank that I could find
It's worth noting that the fine for the charity here relates to disclosing personal data about nearly 10,000 individuals, so it worked out around £20 per victim, even though the nature of the breach is obviously quite serious.
In contrast, the bank released a lot of personal data but only about a much smaller number of individuals (it seems to be only in low double figures looking through the ICO's information more deeply, via a series of careless errors rather than one mass leak) so the fine per individual victim appears to have been much greater here, probably working out to £1,000s per victim.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Absolutely true, but it's also worth pointing out that the charity didn't really disclose anything, they were hacked. In contrast, RBS continued to release financial data via fax for years after it was warned.
It sounds like the hack was only possible because personal data that should never have been anywhere near a public website wasn't properly controlled, so I don't have much sympathy for them on that score.
As far as being hacked compared to continued careless releases, the latter seems to deserve a harsher penalty, and the fines here do seem to reflect that. Isn't this what we want to happen?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
"This coming from one of the most politically-instigating people on the site."
Example?
Please show me where I have tried to "politicize" abortion or other social subject. I certainly do have opinions about them, but I don't think a court should be making decisions based on politics. I would be interested in seeing an example of where you think I might have stated otherwise.
It sounds like the hack was only possible because personal data that should never have been anywhere near a public website wasn't properly controlled, so I don't have much sympathy for them on that score.
Would you be more sympathetic if the data in question was placed on their CMS by a contractor? From TFA:
As far as being hacked compared to continued careless releases, the latter seems to deserve a harsher penalty, and the fines here do seem to reflect that. Isn't this what we want to happen?
In general, yes. But in this case, no one was actually harmed - because the data in question was never made public. If the ICO fine was in proportion to the damage the BPAS hack caused, the ICO could've simply given a warning (or a token fine). As it is, the only real harm done here is by the ICO.
In this situation, the organisation was not merely unlucky. The data was not stored securely at all and this was made worse by the fact that they had not carried out a proper assessment of the data storage techniques. The DPA is very strict and rightly so - it is our personal information which is at risk here.
All too often there are stories of charitable organisations cutting corners and thinking they can get away with it. This fine is a message that organisations, regardless of purpose, will be treated equally in the eyes of the law.
What I find incredibly offensive is that the charity's CEO didn't even apologise to the 10,000 innocent victims whose data was lost as a result of his organisation's failings. Instead he is trying to shift the attention onto the ICO and try to portray themselves as victims.
Backup not found: (A)bort (R)etry (P)anic
Well, from the article summery anyways, the bank is allowed to collect and keep personal information and the charity not only was not supposed to do so, failed to implement any auditing to ensure they were in compliance with the laws concerning personal information.
I think that right there, failing to even bother checking to see if they were in compliance, is what might have drove the fine up.
Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be.
I may be wrong on this, but in the US, HIPAA would rule the day on such a case, no? That would mean that 200k Pounds Sterling would be a wee drop in the bucket compared to the fine such an organization would face here should it face a data leak of that magnitude.
Remove the mission statement of the place... this is confidential patient information, and should be safeguarded as such. If the place demands to be treated as a health facility (even if social), then it has to take the responsibilities along with the benefits.
Quo usque tandem abutere, Nimbus, patientia nostra?
What I find incredibly offensive is that the charity's CEO didn't even apologise to the 10,000 innocent victims whose data was lost as a result of his organisation's failings. Instead he is trying to shift the attention onto the ICO and try to portray themselves as victims.
In all probablility burning tens of thousands pounds more of the charity's money in the process. If they do actually go to appeal, rather than just saying it in the heat of the moment. It's a she, by the way.
To be fair, they are victims in the sense that if they didn't get hacked, they might have got away with their negligence but that is often true. It's rather like blaming the guy that pulled out in front of you when you were drunk driving.
You're right, but the fine is entirely down to the ICO. Remember the ACS: Law guy who was chasing file sharers over porn on bittorrent and left a list of his accused on his website for all to download stating personal information and associating their names width different flavours of porn?
He was fined a pathetic £1000 because the ICO didn't want him to endure the hardship of potentially losing his $1million house simply because the guy provided a "sworn statement" that he couldn't pay a higher fine even though he blatantly could.
There also seems to be a lot of picking and choosing about holding individuals liable - i.e. it seems to never happen even though the Data Protection Act explicitly allows for that.
You're making substantial assumptions about what kind of teeth HIPAA has. When I worked at a medical software company -- wherein I was directly responsible for systems handling patient data, went through HIPAA training, and worked directly with our HIPAA compliance officer to determine technical measures -- it was damned near toothless; what we spent hiring said officer and taking said measures was much more than we would have been fined for a single breach. (We wouldn't have been able to sell the system or satisfy investors unless we could pass an audit, so it was the right business decision to make, but much of what our compliance officer told us was how much work we didn't have to do; the actual compliance requirements often fell far short of what I considered best practices).
these idiots were storing abortion patient information without adequate security, fuck 'em.
Snowden and Manning are heroes.