back to article British Pregnancy Advice Service fined £200k for Anon hack, data protection breaches

The British Pregnancy Advice Service (BPAS) has been fined £200,000 after a serious breach exposed thousands of people’s personal details to a malicious hacker. The hacker (a self-identified member of Anonymous) threatened to publish the names of people who sought advice on abortion, pregnancy and contraception. The miscreant …

COMMENTS

This topic is closed for new posts.
  1. Ross K Silver badge
    Thumb Down

    Ouch

    Ouch, that's a hefty fine to hit a charity with... I hope they appeal the decision.

    Still, this so-called "hacker" could have endangered a lot of womens safety if he had doxed them, as the yoof say.

    1. JimmyPage Silver badge
      Stop

      Re: Ouch

      Yes, it is a large fine. By all means let them waste more money appealing. I hope the fine stands pour encourager les autres.

      If a few web admins have to have a sleepless weekend, as they ensure their sites are as secure as possible, then some good will have come from it.

      1. Ross K Silver badge
        WTF?

        Re: Ouch

        Yes, it is a large fine. By all means let them waste more money appealing. I hope the fine stands pour encourager les autres.

        What's the "pour encourager les autres" all about? Am I missing some French connection here or was that you trying to appear intelligent?

        If a few web admins have to have a sleepless weekend, as they ensure their sites are as secure as possible, then some good will have come from it.

        Yeah, that'll happen. And no website will be hacked again, ever.

        1. Jacksonville

          Re: Ouch

          "pour encourager les autres"

          If only there were some form of universally accessible information resource which could help you find the answer.

          1. Ross K Silver badge

            Re: Ouch

            "pour encourager les autres"

            If only there were some form of universally accessible information resource which could help you find the answer.

            I know what it means, I was being sarcastic. Throwing random bits of the French language into a English conversation just makes a person look like a tit, unless the person's name is Del Boy...

            "Del, you can't speak French. You're still struggling with English"

            http://www.youtube.com/watch?v=Jet29TQv2uA

            1. Jacksonville

              Re: Ouch

              Touché, a great riposte; you were being insulting then, not ignorant. A provocateur if you will.

              In order to ensure an esprit de corps entre nous, a rapprochement; if you will, I shan't continue the mêlée

              Still, since I'm having lunch, I'd better order my aperitif, my hors d'oeuvres, my Escalope Cordon Blue and crème brûlée from the Maitre D'Hotel.

              This afternoon, I might do a few hours work to ensure my elevation from the bourgeoisie to the nouveau riche.

              Swiftly followed by a little liaison dangereuse at my en suite pied-à-terre with my belle coquette. I simply can't resist her joie de vivre, jeu d'esprit and when she's au natural, mon dieu, the "je ne sais quoi"! Soon to be my fiancée, I think.

              Of course, this is all a façade.

              No need to RSVP ;-)

              1. Anonymous Coward
                Thumb Up

                Re: Ouch

                re: Jacksonville

                You win!

            2. Christoph
              Headmaster

              Re: Ouch

              "Throwing random bits of the French language into a English conversation just makes a person look like a tit"

              Are we to assume then that you are going to eliminate all words and phrases of foreign origin from your postings?

              You're going to have a bit of a job there sunshine!

              Time for the James Nicoll quote again?

              "The problem with defending the purity of the English language is that English is about as pure as a cribhouse whore. We don't just borrow words; on occasion, English has pursued other languages down alleyways to beat them unconscious and rifle their pockets for new vocabulary."

              1. Ross K Silver badge
                FAIL

                Re: Ouch

                Are we to assume then that you are going to eliminate all words and phrases of foreign origin from your postings?

                You're going to have a bit of a job there sunshine!

                I wrote "throwing random bits of the French language into a English conversation"...

                Random bits of the French language ≠ "all words and phrases of foreign origin"

                English is obviously not your first language as you seem unable to comprehend what I wrote. Sunshine.

            3. Anonymous Coward
              Anonymous Coward

              Re: Ouch

              Also note the origin of the expression; it comes from Voltaire, and was a comment on the execution of Admiral Byng, a complete overreaction to a naval defeat reminiscent of the similar mistake made on one occasion by the Athenians. "Pour encourager les autres" says Voltaire, with his usual sarcasm, implying that executing an admiral was unlikely to lead to better on the spot decision making.

        2. Mike Banahan

          Pour encourager ....

          It's not a random bit of French though. It's a fairly well known quotation and to use it carries an implication above and beyond just its simple French meaning. As with most quotations, it's going to get lost if the reader isn't familiar with it but one assumes that general knowledge and a good educayshun plays a part in that.

          From

          http://thepoormouth.blogspot.co.uk/2007/03/pour-encourager-les-autres-no-pardon.html:

          The expression “Pour encourager les autres' is a well known quote from Voltaire’s Candide. The full quote is "dans ce pays-ci, il est bon de tuer de temps en temps un amiral pour encourager les autres" - in this country (England), it is good, to kill an admiral from time to time, to encourage the others'). It refers to the fate of Admiral John Byng who was executed in 1757.

      2. Anonymous Coward
        Anonymous Coward

        Re: Ouch

        "If a few web admins have to have a sleepless weekend, as they ensure their sites are as secure as possible, then some good will have come from it"

        They'll have to convince clueless senior management first, who really haven't time to bother with these computer things and have more important stuff to worry about, and certainly aren't going to listen when you try and explain about security best practice, and how the whole system needs to be re-engineered, both at the software level, but also such things as user access, password policies, not printing out everything, not emailing spreadsheets around the place, etc, etc...

        It's a thankless task. Maybe the fine will focus others on the subject of proper data security, for a little while at least.

        1. I. Aproveofitspendingonspecificprojects

          ooh yerrrrsss nice ones.

          "They'll have to convince clueless senior management first,"

          Said clueless senior management being paid in the region of one to two hundred pounds an hour or more to handle boobs?

          You don't think the words blaise and jaded apply ...when the boobs concerned are electronic?

  2. Anonymous Coward
    Anonymous Coward

    Interestingly he was jailed for the hack, and not for extortion/blackmail, or conspiracy to extort/blackmail etc.

    1. Anonymous Coward
      Anonymous Coward

      "Interestingly he was jailed for the hack"

      On Home Office guidelines (early release after 40% of sentence for a first offence) the kn0b has probably already been out of clink for nine months. I wonder what a software engineer with an unspent conviction does for a living?

  3. Grease Monkey Silver badge

    "The British Pregnancy Advice Service didn’t realise their website was storing this information,"

    But presumably somebody did. The person who coded the website perhaps. I wouldn't argue against the fine, it points out in no uncertain terms that ignorance is no excuse and that organizations need to be aware of the way their websites and other IT systems function. However I would also argue that if the organization itself didn't know then it must be true that an employee, contractor or supplier did know and they should be fined too.

    1. Bogle

      The buck stops here

      You can't go blaming the employees or a contractor. It's the BPAS' site, they're responsible.

  4. Aristotles slow and dimwitted horse

    Why?

    Why should they be able to appeal the fine because they are a charity?

    The rules apply to all. They don't get an exemption.

    1. Ross K Silver badge

      Re: Why?

      Nothing to do with being a charity. Any organisation fined by the ICO has the right to appeal - call it democracy.

      Scottish Borders Council successfully appealed their £250k fine for leaving pension records in a recycling bin in a supermarket car park. You'll find the results of other ICO appeals if you spend five minutes on Google, or even this very website.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why?

      Well, to me it's insane that a charity which was not intending to make abusive use of data should be fined. Required to fix all the issues, yes. Required to review all the staff in the chain of command and its HR and IT policies, yes. Transferring money from a charity to the Government with lawyers siphoning off a large amount as well seems a particularly stupid way to fix problems, especially when taking the money will reduce their ability to avoid problems in future.

      Fining and criminal convictions should be reserved for people doing malicious things, like deliberately obtaining and storing personal data (looking at you, Zuckerberg).

      1. I. Aproveofitspendingonspecificprojects

        Why not?

        Required to fix all the issues, yes. Required to review all the staff in the chain of command and its HR and IT policies, yes. Sending at least one somebody to gaol for a few months for a first offence, yes!

        How could that hurt the slack bastards?

  5. Anonymous Coward
    Flame

    Of course the ICO...

    will be giving proceeds obtained from fining this charity to another charity, right?.... right?

    Because if not, that basically means the ICO just pulled the moral and metaphorical equivalent of wandering down the high street, mugging every tin-shaker visible and pouring the contents into their wallet - theirs or George Osborne's. Or maybe cutting out the middle-man, going straight for the low-hanging fruit and grabbing pensioners handbags. Of course BPAS should be held responsible in some way, but what possible benefit is there for anyone other than this Quango in fining a charity whose money is not theirs to surrender?

    1. Gordon 10
      FAIL

      Re: Of course the ICO...

      Indeed - fining a charity imo is even worse than fining a govt organisation.

      Couldnt it have been suspended for 3 years subject to a review of IT and data protection training.

      Surely 50k spent on training would have been far more useful than 200k going to some quangocrat.

    2. gerryg

      Re: Of course the ICO...

      If we're discussing money, the charity gets tax breaks in order to meet its charitable objectives.

      I should imagine given BPS claim Confidentiality means that what a woman says to bpas staff stays private" they have failed to meet their charitable objectives.

      So, do nothing? because it's charadee?

      The trustees are personally liable for the charity. No-one forced them to become trustees. Let them find out they should have taken the role seriously.

      Most tin shakers are out of work actors on a day rate. A government study showed that it takes eighteen months of the average direct debits to recover the cost of recruiting a new donor.

      1. Anonymous Coward
        Anonymous Coward

        Re: Of course the ICO...

        It's difficult enough to find trustees anyway. I'm afraid I plead guilty to having passed information on to a charity about their responsibilities which has caused the trustees to have a major panic and call in external expertise to review their procedures. They are all well meaning people who wanted to do something useful. But we just don't have enough retired lawyers, accountants, HR specialists, IT security experts and so on to stuff boards of trustees, and if they don't know that they need to know these things, who is to tell them? Do we want charities to be run entirely by professional managers being paid the going rate? Because if so, why not just outsource their work to Serco or Atos (sarcasm alert).

        Personally I am an old hard lefty and I believe that every charity is a sign of the failure of central government to make proper State provision. I would like all charities to disappear as a result of no longer being needed. But it isn't going to happen. If the State with all its legal systems cannot provide properly (and the private sector certainly won't) then charities will appear, and if the State pursues their infractions with the full strength of its legal powers, I see that as an abuse.

      2. Anonymous Coward
        Anonymous Coward

        Re: Of course the ICO...

        "So, do nothing? because it's charadee?

        Who said do nothing? I certainty didn't.

        "The trustees are personally liable for the charity. No-one forced them to become trustees. Let them find out they should have taken the role seriously."

        Yes, they should. And, giving a huge wodge of donated cash to a Quango does this... how exactly?

        1. gerryg

          Re: Of course the ICO...

          "Yes, they should. And, giving a huge wodge of donated cash to a Quango does this... how exactly?"

          The ICO a quasi-judicial body and it issues fines for infractions.

          BPAS charges for its services and advises on how to get the NHS to fund it.

          Donations in 2012 were £9000 and fees for services were £26,380,000 see page 12

          Its objective is to get more NHS funding see page 7

          Three people were paid between £100,000 and £130,000 see page 20. I'm sure everyone else is on minimum wage and no-one, not even the consultant surgeons, does it for the money.

          Perhaps all fines should be abolished as once someone has "been told" they won't do it again?

    3. JimmyPage Silver badge
      Mushroom

      Or, alternatively

      people who were going to give money to BPAS might think twice in future.

      And speaking of mugging, how about the situation I have seen a few times, where a car pulls up at the top of my cul de sac, 4 young people get out, and start blitzing the doorbells to get people to sign up for a direct debit to various charities. MacMillan is definitely one. Don't ever try and give these people cash - it offends them. It has to be a *monthly* direct debit. Of which a certain %age goes to the salesman (because that's what they are). If you should cancel your direct debit before the "collection agency" has had their cut, guess how the shortfall gets paid ?

  6. pacman7de
    Facepalm

    Not so anonymous ..

    "The hacker (a self-identified member of Anonymous) threatened to publish the names of people who sought advice on abortion, pregnancy and contraception."

    "The miscreant - subsequently identified as James Jeffery, 29"

  7. gerryg

    BPAS are "horrified"...

    ...according to the 1 o'clock news.

    Not because they couldn't find their arse with both hands, nor that they didn't have a clue how much information they were actually storing insecurely.

    but at the size if the fine.

    Let's ask one of the women who had an abortion in circumstances where confidentiality were paramount.

    It will be quite easy to find one, apparently.

    Let's hope the trustees work out they're personally liable and are supposed to take this stuff seriously

  8. returnmyjedi

    They mucked up made the private details of humanoids available to a nincompoop, but £250k is the same size fine that the multibillion corporation Sony were slapped with for similar laxness. Seems a bit unfair.

    1. Christoph

      The information involved is far more sensitive. If that was published, some of the women involved would suffer serious social harm. Some of them would suffer serious physical harm.

      If you are holding that kind of sensitive information you MUST PROACTIVELY make sure it is secure. "I didn't know" is not good enough.

      1. I. Aproveofitspendingonspecificprojects

        TFT!

        Take an upvote.

  9. bigtimehustler

    The biggest problem with this fine is that it is a charity, so the only people it is going to punish are the women who need to use its services. In no way is anybody else going to be punished by this figure. You could also say that the people who gave their money to the charity, probably didn't want whoever gets an ICO fine to get their money. So yea, in this case it is an entirely incorrect judgement, regardless of what sign you need to show to others, choose a private company to show that sign with.

  10. Tom 38

    From the BBC article

    BPAS chief executive Ann Furedi said: "We accept that no hacker should have been able to steal our data but are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do.

    "This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime."

    This sort of attitude makes me angry - yes you were the victim of a crime, that crime exposed your own illegal practices, ergo fine.

    Someone at BPAS was being paid to be a data controller, and was plainly not doing their job. They should not be appealing the fine, they should have dismissed their data controller for incompetence and sue them for professional misfeasance to recover the fine.

    1. Anonymous Coward
      Anonymous Coward

      Re: From the BBC article

      How much is the data controller paid and what are his or her qualifications?

      Before jumping to conclusions as to appropriate remedies, you would need to know this; also the contractual relationship between the data controller and the charity. Is the data controller totally responsible if a third party screws up?

      Dismissal possibly, but suing for professional malfeasance? Thank deity of choice we are not yet the United States, and learn a bit more about English law before sounding off.

      1. Tom 38

        Re: From the BBC article

        Yes, that is the entire purpose of the data controller, they are responsible for ensuring an entity confirms to the DPA where they deal with personal data. Admitting they had no clue they were even storing the data just demonstrates their failings in regard to the act.

        BTW I said misfeasance, not doing your job competently. Malfeasance is deliberate wrong doing, completely different.

  11. Bluenose

    Why prosecute anyone?

    I think people need to step back on this and think through why the BPAS was fined:

    In accordance with the Data Protection Act 1998 the Data Controller (BPAS) as responsible for putting in place appropriate organisational and technical processes and protections to avoid the information that they have collected being obtained by third parties unlawfully or as a result of the Data Controllers negligence. BPAS failed to comply with any part of this legislation. The fine is therefore imposed for what could be considered criminal negligence if such a term existed in English law.

    The purpose of punishment under law is to a)ensure some form of retribution against the breaching person/organisation; b)to warn others who may be considering or already committing the same offence; c)to support a public policy objective (in this case to encourage others to protect the data they collect); and d) to show the general public that they are enforcing the laws fairly and unequivocally against all breaching persons or parties.

    On the basis of the arguments presented on here no-one should be prosecuted of fined if no one has been injured even if the law has been broken. Would certainly save on court and legal aid costs as we wouldn't bother prosecuting people who go out and try to murder people but fail (no harm done then).

  12. Alexander Hanff 1

    Not condoning the breach but I do find David Smith's "Ignorance is no excuse" comment laughable. When Google were caught sniffing up everyone's wifi traffic with Streetview ICO's entire reason for NOT taking action was that Google claimed they were ignorant and that it was the work of a lone, rogue engineer.

    So Mr Smith, perhaps you can tell us why a charity with limited funds to purchase a secure system and skilled IT administrators cannot use ignorance as an excuse but Google, a multi-billion dollar megacorp with some of the "best technical minds in the world" working for them are perfectly entitled to use ignorance as an excuse when they are caught intentionally capturing massive amounts of communications data?

    Charity fined £200 000 for a stupid mistake which actually resulted in no harm and could end up shutting down a charity that helps pregnant women (a pretty important charity in my mind).

    Google fined £0.00 for intentionally grabbing emails, web traffic, passwords, instant messages etc. etc. etc. so they can monetise that data through behavioural analytics. A company where even the maximum fine would have had absolutely zero impact on Google's operational abilities.

    But then, I daresay ICO don't get kickbacks from BPAS like they do from Google and I doubt very much their senior executives are offered highly paid roles at BPAS unlike certain ICO staff who went on to work for Google.

    1. Ross K Silver badge

      So Mr Smith, perhaps you can tell us why a charity with limited funds to purchase a secure system and skilled IT administrators cannot use ignorance as an excuse but Google, a multi-billion dollar megacorp with some of the "best technical minds in the world" working for them are perfectly entitled to use ignorance as an excuse when they are caught intentionally capturing massive amounts of communications data?

      A valid point, and one I hope BPAS raises at their appeal.

  13. JassMan
    Trollface

    Their big mistake...

    was to get hacked. If they had sold off the data just like the NHSIC, it would be a pat on the back. They just weren't thinking big enough. Instead of losing 10K records they should have been beaten care.data off the mark by selling the medical records of the entire country (after first failing to send leaflets to everyone saying they have to opt out of course.)

  14. Mark Ruit

    Cui bono?

    Slightly odd charity BPAS. It doesn''t (AFAIK) go in for chugging, street-bombing for DDs, or tin-rattling. IIRC it is essentially funded by the private clinics.

    That is not any sort of accusation of misfeasance, let alone malfeasance. Their work as a counter to religious zealotry is probably very valuable. (And note that I only 'clause' that because I have no yardstick for it, never having come anywhere near its services.)

    But somehow I don't think BPAS is necessarily wanting for competent management or trustees

    DP is about atitudes and for too many the attitudes are that it is unimportant.

    BTW - if the record was only of those wanting a call-back, and assuning that separate, more secure, systems were in use to hold the data of those who actually became "clients", then the record itself, by its very existence and never mind the lack of security, contravened several of the 'eight principles'.

  15. Christian Berger

    You should put clauses into your contracts...

    ...which make the provider of IT services responsible for such fines. Then you'd finally get rid of all those "PHP-shops" which have never heard of prepared statements.

This topic is closed for new posts.

Other stories you might like