The ICO has issued the British Pregnancy Advisory Service (BPAS) with a fine for £200,000 after a malicious hacker gained access to the personal data stored within BPAS' website. This investigation indicates that is it not only public bodies who may be the focus of ICO investigations and the recipients of large fines. In this instance a hacker, an anti-abortion campaigner, had intended gain access to BPAS' website in order to deface it. When access was gained to the website, the hacker realised that he had gained access to the personal details of almost 10,000 people who had requested a call back from BPAS for advice about sexual health and conception issues.
The ICO's investigation revealed that BPAS did not realise its own website was collecting and storing the personal data of its users. The website's coding was also insecure and vulnerable to attack. BPAS had employed an external website developer to redevelop its website, however the ICO criticised the organisation for failing to understand exactly what information it was holding and ensuring effective security measures to protect that data.
The hacker threatened to publish the names of the individuals who had contacted BPAS, but was prevented from doing so by an injunction obtained by BPAS. The fact that the ICO imposed such a large fine, despite BPAS having taken extensive steps to prevent any detriment to the individuals whose data was compromised, demonstrates the ICO's firm stance on such issues.
What does this mean for businesses? Ruth Boardman, co-head of Bird & Bird's International Data Protection practice comments: "Businesses should develop rigorous policies governing software and website development work where there is a possibility that personal data may be involved. Development work should be regularly audited to ensure that the company who will eventually own or operate the software or website is aware of exactly what personal data is collected and stored and how its security is protected".