The organizations has been fined £200,000 ($335,000 / €241,500) for exposing customer data

Mar 7, 2014 12:39 GMT  ·  By

Back in March 2012, the UK Metropolitan Police arrested 27-year-old James Jeffery on suspicion of hacking into the systems of the British Pregnancy Advisory Service (BPAS). Now, the Information Commissioner’s Office has decided to fine BPAS for breaching the Data Protection Act.

At the time of the incident, the perpetrator, who claimed to be an Anonymous hacker, defaced the BPAS website and threatened to leak its entire database. The database contained the names, addresses, dates of birth, and phone numbers of around 10,000 women who had asked for a call back for advice on pregnancy issues.

One month later, Jeffrey, who used the online moniker Pablo Escobar, was sentenced to 32 months in prison after pleading guilty.

The ICO is displeased with the fact that BPAS has failed to securely store customer information. On the other hand, the charity didn’t even realize the information was stored on the site.

Furthermore, the information shouldn’t have been stored for too long. BPAS breached the Data Protection Act by storing the details for five years longer than it was necessary.

For this, the organization has been fined £200,000 ($335,000 / €241,500) by the ICO. BPAS will get a discount on the penalty to £160,000 ($267,000 / €193,000) if it pays by March 31, 2014.

“Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure,” said David Smith, ICO Deputy Commissioner and Director of Data Protection.

“But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe,” Smith added.

“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”

On Thursday, the ICO signed a memorandum of understanding with the United States’ Federal Trade Commission (FTC). The two have agreed to work together to protect consumer privacy.

“As consumer data increasingly crosses borders, the FTC needs to be able to work with privacy enforcers around the globe in investigating potential violations of law. This arrangement with our UK counterpart will help us cooperate on privacy investigations more effectively,” said FTC Chairwoman Edith Ramirez.