The UK Information Commissioner’s Office (ICO) has fined registered charity, the British Pregnancy Advice Service (BPAS), £200,000 following an attack on its website. BPAS is the largest provider of abortion services in the UK. Its website had been attacked by an individual who disagreed with abortion. The attacker gained access to the personal details of thousands of individuals that had viewed the BPAS website and requested a call back from the organisation. The attacker intended to publish the details but the information was recovered by the police before it could be published. The ICO found that BPAS had failed to take appropriate technical and organisational measures to prevent unauthorised processing of personal data on its website and, in particular, had failed to carry out appropriate security testing on the website which would have alerted them to its vulnerabilities. The fact that BPAS was allegedly unaware that the personal details stored on the website were vulnerable to this type of attach was found to be unacceptable by the ICO, particularly since the data in question related to the extremely personal and sensitive services provided by BPAS.

TIP: This case is a reminder that organizations that collect personal data online should ensure that the data is held securely. Cyber-attacks are on the rise, and companies are expected to be prepared.