Yesterday, the UK's privacy regulator Information Commissioner's Office (ICO) announced that the British Pregnancy Advice Service (BPAS), a UK registered charity, has been fined £200,000 for losing personal data relating to 9,900 individuals from its web site in March 2012.
[BPAS] bpas has robust systems of governance in place for both clinical and general management
The Monetary Penalty Notice, issued on 28th February 2014, describes how someone found vulnerabilities in the BPAS web site content management system (CMS) using a scanning tool. It seems they did not have to resort to manual application penetration testing. They exploited this to deface the website and also take personal data from people who had submitted an advice call back form on the site. Each record contained the name, date of birth, address and telephone number of the person. Although no other sensitive data was stored, the individuals were probably asking for advice about one of the services offered by the charity: contraceptive advice, abortion, counselling, STI screening, sterilisation, vasectomy and treatment for erectile dysfunction.
[ICO] Some of the call back details were from individuals whose ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker.
The perpetrator threatened to publish the names of the individuals. Fortunately he was identified, an injunction was obtained from the High Court to prevent him from publishing any information, the data was recovered and the he was arrested by the police, and apparently subsequently received a prison sentence of 32 months. Even though the web site was allegedly not meant to be storing the call back information, it was still BPAS's responsibility to ensure this was the case, and also to secure its assets more generally. But the charity has published a press release stating surprise and shock at the level of the fine.
[BPAS] we are horrified by the scale of the fine, which does not reflect the fact that bpas was a victim of a serious crime by someone opposed to what we do. ... This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime.
This would seem to be a likely attack. There will be individuals who will want to harm BPAC and its reputation. We do not know the method of exploitation, although a vulnerability found by simple scanning of the CMS suggests so perhaps it could relate to perhaps:
- SQL injection via the CMS log in form
- Theft of admin credentials or session identifiers using cross-site scripting
- Authentication bypass
BPAS suggests that the data was lost because it was being stored without their knowledge. But if the web site can be compromised it could be as easy for the attacker to capture the information in transit even if it is not stored on the server.
The real victims could so easily have been the people whose data was stolen not BPAS. Is a £20 fine per individual affected actually enough? Also, the data might have been taken previously by someone else who neither defaced the website and nor contacted BPAS about their success. If an organisation thinks it cannot afford a fine of this level, it should take action to reduce the likelihood of it occurring. The disruption and effort dealing with this sort of event is also very great. In the event of data not being recovered and prevented from being distributed more widely as in this case, the cost of identity monitoring might exceed the fine issued by the ICO.
[me] is a £20 fine per individual affected actually enough?
The ICO also recently announced a new Conducting Privacy Impact Assessments (PIAs) Code of Practice, developed after a consultation about how PIAs have been working. In that announcement, Steve Wood ICO Head of Policy said:
[ICO] The development of projects involving the processing of large amounts of personal information is no longer the preserve of the public sector and large businesses. Today even an app developer can be developing a product in their bedroom that involves using thousands of people's information.
Same for non-bedroom developed websites. Charities and professional services organisations take note.