A UK abortion advice service has been whacked with a £200,000 fine after an inquiry found that it failed to sufficiently protect patient data that was hacked by Anonymous.
Data watchdog the Information Commissioner's Office (ICO) deemed that the British Pregnancy Advice Service (BPAS) did not take adequate measures to safeguard highly sensitive information such as the names, home addresses, dates of birth, and telephone numbers of women consulting the provider.
The breach occurred back in March 2012, at which time the BPAS contended that no medical or personal information had been compromised as a result of the attack.
"Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure," commented David Smith, deputy commissioner and director of data protection, in an ICO statement.
He added: "Ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."
In addition, the ICO's investigation found that the BPAS had further breached the UK's Data Protection Act by keeping telephone details of advice seekers on file for five years longer than necessary.
Security experts were quick to respond to news of the fine, noting that it further highlighted the need for public sector-related bodies to take data protection more seriously.
"First and foremost, we painfully see how the security of systems is everyone's problem. No matter what the organisational chart reads, no matter if you are a full time employee or contractor, or where you sit in a complex supply chain, everyone in the ecosystem must be diligent and a weakness in one area in this connected world becomes everyone's problem. I'm excited to see a fine associated with this event because it unfortunately the only way to change business behaviour," said Lancope CTO, Tim 'TK' Keanini.
Keanini added: "If this were not a hacktivist, it would have been likely that this organisation would not have known of the stolen data until it was identified for sale on some black market."