The Information Commissioner’s Office (ICO) has fined the British Pregnancy Advice Service (BPAS) £200,000 after almost 10,000 personal records were compromised.
In 2012, the BPAS suffered an attack by a pro-life hacker who was opposed to the company’s abortion advice. According to the ICO undertaking, the attacker exploited a vulnerability in 2012 which revealed the 9,900 names, dates of birth, addresses and telephone numbers that had been collected via a “call back” feature.
The BPAS, who offer services including contraceptive advice, abortion, counselling, STI screening, sterilisation, vasectomy and treatment for erectile dysfunction, had collected the data unknowingly despite a third party adding this feature in 2007. The ICO found that the BPAS mistakenly assumed that the scaled down CMS function would only generate an email when users completed the ‘call back web form’ which would be sent to the secure email server with no call back data being retained on the website.
Instead the data was collected, and BPAS did not ensure that administrative passwords were stored securely or that stated standards of communication confidentiality were met. The ICO also said that BPAS failed to carry out appropriate security testing on the website which would have alerted them to the vulnerabilities that were present, and did not ensure that the underlying software supporting the website was kept up to date.
The hacker had threatened to release the data, but was arrested the next day after the flaw was identified.
The ICO found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.
David Smith, deputy commissioner and director of data protection, said: “Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure.
“But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.
“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”
Joel Barnes, senior systems engineer at Tripwire, suspected that they may be constrained on security budget and put more focus on the service they deliver than the security of the data behind it. “From an initial standpoint, this looks like they may have outsourced their website and assumed that the provider would deal with the security issues. As such, there was either a failure in due diligence in assessing the third party, or a lack of maturity and time to assess a homegrown solution.”
Malwarebytes security researcher Christopher Boyd, said: “As for the ICO fine, given the sensitivity of the data, it’s surprising there weren’t more safeguards. I think this has been reflected in the fine imposed by the ICO.
“Reading between the lines, it shows t
hat the ICO is keen to stress that being unaware of the risk to data, is no longer a defence. This means that those in charge of large data-sets are going to need to be extra vigilant, both making sure they know what data is stored, and ensuring the right technology is in place.”
Calum MacLeod, VP of EMEA at Lieberman Software Corporation, said: “The fine for the BPAS is not a surprise, and I have to feel sympathy for them. Like many registered charities, they are never going to be able to attract top IT staff, and with their limited resources, it will very often mean that they will outsource services, such as website development.
“What this shows is that great care needs to be taken when doing this type of work. If you don’t have the staff that can do proper penetration testing on applications such as websites, then you are serious risk of a breach. There are so many risk areas associated with websites, that makes professional testing essential.”
Brendan Rizzo, technical director EMEA at Voltage Security, said that companies need to fully understand the responsibility that is intrinsically and automatically linked with their collection of any sensitive data as when the job of implementing an information gathering system falls to an outsourced contractor, the contractor’s goals can lean towards the immediate deliverable of getting this information from the end user to the company, without enough attention being paid to the lifecycle of how this sensitive data will be used, stored and ultimately deleted.
“The responsibility of making sure the data is protected remains firmly with the company collecting the data however. They are the ones that must ensure that any such systems have adherence to the Data Protection Act, and therefore the protection of the end user, in mind at every step from design to delivery and ongoing operational use,” he said.
TK Keanini, CTO of Lancope, said that no matter what the organisational chart reads or who the person is, everyone in the ecosystem must be diligent and a weakness in one area in this connected world becomes everyone’s problem.
He said: “I’m excited to see a fine associated with this event because it unfortunately the only way to change business behaviour. If the fine is too low, it will be cheaper to just get breached and pay the fines so the amount is an important factor.
“While the insecure storage of the data was a poor design, the security of the public website system itself is more important because even if there were no data being stored, attackers would have compromised the system and turned it into a ‘watering-hole’ attack whereby malware would be stored on it and users of the system would have been compromised in the same manner with data stolen and even worse, malware installed on their client machine to then steal even more credentials and data from other sites (ecommerce, e-business, e-government, financial, etc).”