Slashdot Mirror
BPAS Appeals £200,000 Fine Over Hacked Website
DW100 writes "A UK charity that provides help and guidance for women seeking abortions has been fined £200,000 after a hacker breached its website in 2012 and was able to gather data on 9,900 people that had requested help from the organization. The hacker was given almost three years in jail for the attack. The charity's CEO has condemned the decision, arguing it rewards the hacker for his efforts."
The data was unintentionally stored in their CMS after miscommunication with a contractor, and they never performed security audits. Martin S. writes "The BPAS is appealing a £200,000 fine imposed by the ICO after their website was hacked by an Anonymous anti-abortion extremist. The amount is particularly egregious when perpetrators of willful data theft often attract fines of only a few thousand pounds."
If the perpetrator was sent to jail how is this 'anonymous'?
How do you know this wasn't a simple extortion for money scheme?
Well I mean there do need to be penalties for companies not storing customer data correctly, especially in the medical field. Im not versed enough on abortion cliniques to know if 200K is justified or not but they should get some sort of fine no questions
have you seen my sig? there are many others like it but none that are the same
I have no sympathy. They need to be required to pay the fine so everyone else who handles personal data gets the message that you don't handle it negligently.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
"so they got an anti-abortion judge"
Trust some AC on Slashdot to try to turn it into a political issue.
It's about time that some of these organizations (including banks and others) who store personal data were held responsible for their lack of security. It has been a real problem.
Let's leave the politics out of it. The organization messed up, resulting in potential harm to the public who used its services. The court wants to hold them responsible for their messup. End of story.
This wasn't a corporate site nor was it a medical services site. This was a non-profit charitable organization. Suppose I set up a website of my own, not for profit, in which I provide information on where to get an abortion. Suppose I don't secure my web server enough and a hacker gets a copy of my access.log files and is thus able to determine who visited my site and suppose they publish that information. Would I be subject to big fines as well? What if it was a website about some other subject like building model trains? I understand in this case the hackers probably got more than just IP addresses, but where exactly is the line drawn? Is anyone who has a website in danger of running afoul of these laws?
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Trust some AC on Slashdot to try to turn it into a political issue.
This coming from one of the most politically-instigating people on the site.
Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be. Moreover, the charity itself says it was an anti-abortion activist, and that the ruling rewards the criminal. So it's already political from the summary.
I suppose since we don't read the summary anymore, we may have been able to take it BACK from political. I can see how from the title, one might think it was a bank that was being punished.
Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity.
I agree this organization is negligent, but if this ruling is setting a precedent then it should be scrutinized.
At least, the ICO should demonstrate the fine is consistent with other cases.
This is nonsense. "data theft" and "failure to secure personal data" are two completely different crimes - it's perfectly normal for different crimes to have different penalties.....and failing to secure the personal details of 9900 patients is a far more serious crime than breaking into a computer and copying files.
That's not how ICO fines work.
The way they work is this: If you suffer a data breach that the ICO hears off, they'll investigate.
Once the investigation is complete, they'll do a few things:
1. Write a beautifully-worded press release explaining exactly what you did wrong and put it on the news wires.
2. Write an equally beautifully-worded report explaining what you did wrong in explicit detail.
3. Issue a thumping great fine.
It's important to note that they don't have to take an organisation to court to raise this fine. It's the other way around - if your organisation gets fined, it's down to you to raise an appeal.
"Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity."
Well, I'm not that familiar with UK law, but like the U.S. it is still Common Law tradition.
Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices.
It seems to me that the annual salary of a couple of professionals, who probably ought to be fired anyway, seems about right.
I find this outcome incredibly offensive. The hacker is probably so radically anti-abortion that he doesn't give a shit about his fine or jail-time. All this really does is damage the charity, which was probably his goal in the first place: to get them fined for not securing data. And, as has already been mentioned, the charity probably isn't even responsible for the data breach. All the work was probably contracted out. Besides, if Stratfor and Sony and damn near everyone else can't securely store data, what makes you think this charity magically can?
All of our systems are hackable. Everyone is vulnerable to an advanced persistent threat.
If fact the negligence in this case was the fault of an external IT contractor who stored the captured data on the website CMS, after the requirements has been change to specifically exclude this feature because of security concerns. However the DPA doesn't take this into account. Data loss is an absolute offence, no negligence is necessary. If the organisation loses the data they are guilty.
The size of the fine is not a reflection of the degree of negligence but a result of the damage done . In this case very serious damage because the extremely sensitive nature of the data and who was able to access it.
It's about time that some of these organizations (including banks and others)...Why is it a "heavy-handed" fine? It seems to me that when an organization endangers members of the public via negligence, they should receive a penalty that is sufficient to motivate them to change their practices....It seems to me that the annual salary of a couple of professionals, who probably ought to be fired anyway, seems about right.
I guess "heavy handed" is a relative term, so let's take a look at ICO's BPAS fine vs ICO's bank fine:
The ICO fined The Royal Bank of Scotland the grand sum of £75,000 in 2013*. The RBS Group had around £18 billion in income during 2012, and the top 2 executives received almost £4 million (excluding stock awards) in compensation. (RBS 2013 Financials)
The BPAS, on the other hand, had donations of around £27 million in 2013 (0.15% of RBS revenue), and their CEO is thought to earn around £120K (7.5% of RBS CEO pay). Yet they were fined £200,000 (2.67X the RBS fine).
Dunno. Seems kinda heavy handed to me.
* only instance of ICO fining a bank that I could find
Absolutely true, but it's also worth pointing out that the charity didn't really disclose anything, they were hacked. In contrast, RBS continued to release financial data via fax for years after it was warned.
In this situation, the organisation was not merely unlucky. The data was not stored securely at all and this was made worse by the fact that they had not carried out a proper assessment of the data storage techniques. The DPA is very strict and rightly so - it is our personal information which is at risk here.
All too often there are stories of charitable organisations cutting corners and thinking they can get away with it. This fine is a message that organisations, regardless of purpose, will be treated equally in the eyes of the law.
What I find incredibly offensive is that the charity's CEO didn't even apologise to the 10,000 innocent victims whose data was lost as a result of his organisation's failings. Instead he is trying to shift the attention onto the ICO and try to portray themselves as victims.
Backup not found: (A)bort (R)etry (P)anic
What I find incredibly offensive is that the charity's CEO didn't even apologise to the 10,000 innocent victims whose data was lost as a result of his organisation's failings. Instead he is trying to shift the attention onto the ICO and try to portray themselves as victims.
In all probablility burning tens of thousands pounds more of the charity's money in the process. If they do actually go to appeal, rather than just saying it in the heat of the moment. It's a she, by the way.
To be fair, they are victims in the sense that if they didn't get hacked, they might have got away with their negligence but that is often true. It's rather like blaming the guy that pulled out in front of you when you were drunk driving.