Information commissioner says data was not stored securely after hacker threatened to publish women's personal details

This article is more than 6 years old

This article is more than 6 years old

The UK's main abortion provider is to appeal against a £200,000 fine imposed after an anti-abortion campaigner hacked its website and accessed the names and telephone numbers of thousands of women requesting advice.

The hacker threatened to publish the names and addresses of women using the British Pregnancy Advisory Service, but was prevented by a court injunction. He was sentenced to 32 months in jail.

The Information Commissioner's Office (ICO), which imposed the fine, said the charity did not realise its website stored the names, addresses, dates of birth and telephone numbers of women who asked for its advice.

But ignorance was no excuse, said David Smith, the ICO'S deputy commissioner and director of data protection.

"It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."

The information commissioner said the personal data was not stored securely and a vulnerability in the website's code allowed the hacker to access the system and locate the information.

BPAS also breached the Data Protection Act by keeping the details of callers for five years longer than was necessary for its purposes, the ICO said.

BPAS said it was appalled by the hacking, which it reported immediately to the police, but was also shocked by the size of the fine, against which it would appeal.

"We accept that no hacker should have been able to steal our data, but we are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do," the chief executive, Ann Furedi, said.

"BPAS is a charity which spends any proceeds on the care of women who need our help and on improving public education and knowledge on contraception, fertility and unplanned pregnancy.

"This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime.

"It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way."

The hacker broke into the website on 8 March 2012.

"He defaced our website with anti-abortion messages and obtained names and telephone numbers of people who had used a web form to request a callback from BPAS staff to discuss issues relating to pregnancy, contraception and sexual health," the charity said in a statement.

But the names, details and medical records of women who had used the abortion service were never at risk, the charity added.