Slashdot Mirror

← Back to Stories (view on slashdot.org)

BPAS Appeals £200,000 Fine Over Hacked Website

Posted by Unknown on from the check-your-databases dept.

DW100 writes "A UK charity that provides help and guidance for women seeking abortions has been fined £200,000 after a hacker breached its website in 2012 and was able to gather data on 9,900 people that had requested help from the organization. The hacker was given almost three years in jail for the attack. The charity's CEO has condemned the decision, arguing it rewards the hacker for his efforts." The data was unintentionally stored in their CMS after miscommunication with a contractor, and they never performed security audits. Martin S. writes "The BPAS is appealing a £200,000 fine imposed by the ICO after their website was hacked by an Anonymous anti-abortion extremist. The amount is particularly egregious when perpetrators of willful data theft often attract fines of only a few thousand pounds."

10 of 104 comments (clear)

  1. "Anonymous anti-abortion extremist" by schwit1 · · Score: 5, Insightful

    If the perpetrator was sent to jail how is this 'anonymous'?

    How do you know this wasn't a simple extortion for money scheme?

  2. No Sympathy by TechyImmigrant · · Score: 5, Insightful

    I have no sympathy. They need to be required to pay the fine so everyone else who handles personal data gets the message that you don't handle it negligently.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:No Sympathy by Fallen+Kell · · Score: 5, Insightful

      I agree entirely. And the fine needs to be high enough that it is cheaper to do the work properly than it is to risk not doing it and simply paying the costs of the fine.

      --
      We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  3. Re:hmmm by Xest · · Score: 5, Insightful

    A better solution would have been to not fine the organisation but to use the clause of the data protection act that allows individuals to be held responsible and fine the contractor for being so negligent as to store personal data insecurely and anyone at the organisation who allowed it.

  4. How far do these laws go? by BitterOak · · Score: 5, Insightful

    This wasn't a corporate site nor was it a medical services site. This was a non-profit charitable organization. Suppose I set up a website of my own, not for profit, in which I provide information on where to get an abortion. Suppose I don't secure my web server enough and a hacker gets a copy of my access.log files and is thus able to determine who visited my site and suppose they publish that information. Would I be subject to big fines as well? What if it was a website about some other subject like building model trains? I understand in this case the hackers probably got more than just IP addresses, but where exactly is the line drawn? Is anyone who has a website in danger of running afoul of these laws?

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    1. Re:How far do these laws go? by hawkinspeter · · Score: 5, Insightful

      As far as I know, the line is drawn when you start storing personal data. They were keeping the name, address, date of birth and telephone number of people who were looking for advice and they weren't keeping it securely. A typical web server won't be storing anything more than IP addresses and browser types so you won't get into trouble for storing personal data without following the relevant laws.

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  5. Re:so they got an anti-abortion judge by interkin3tic · · Score: 3, Insightful

    Maybe in the UK, the topics of abortion and politics can be separated, but in the US it definitely can't be. Moreover, the charity itself says it was an anti-abortion activist, and that the ruling rewards the criminal. So it's already political from the summary.

    I suppose since we don't read the summary anymore, we may have been able to take it BACK from political. I can see how from the title, one might think it was a bank that was being punished.

  6. Re:so they got an anti-abortion judge by sudo · · Score: 4, Insightful

    Sorry, the anti-abortion issue is very political and this is a heavy handed fine on a charity.

    I agree this organization is negligent, but if this ruling is setting a precedent then it should be scrutinized.
    At least, the ICO should demonstrate the fine is consistent with other cases.

  7. Re:Low hanging fruit... by jimicus · · Score: 5, Informative

    That's not how ICO fines work.

    The way they work is this: If you suffer a data breach that the ICO hears off, they'll investigate.

    Once the investigation is complete, they'll do a few things:

      1. Write a beautifully-worded press release explaining exactly what you did wrong and put it on the news wires.
      2. Write an equally beautifully-worded report explaining what you did wrong in explicit detail.
      3. Issue a thumping great fine.

    It's important to note that they don't have to take an organisation to court to raise this fine. It's the other way around - if your organisation gets fined, it's down to you to raise an appeal.

  8. Re:so they got an anti-abortion judge by SpankiMonki · · Score: 4, Insightful

    Absolutely true, but it's also worth pointing out that the charity didn't really disclose anything, they were hacked. In contrast, RBS continued to release financial data via fax for years after it was warned.