The incident occurred in March 2012 when hacker James Jeffery infiltrated the charity’s content management system (CMS) and defaced its website in a protest at the work BPAS does.
Jeffery then threatened to publish the names, dates of birth, addresses and telephone numbers of 9,900 people who had contacted the charity asking for guidance on a raft of serious issues such as abortion and vasectomy treatments.
However, the police were able to arrest Jeffery before any information was released. He was given a two-and-a-half year prison sentence.
The subsequent investigation by the ICO underlines the issues IT managers face when it comes to security and the need for constant checking of the processes in place for data-gathering and hosting.
BPAS gathered the data on 9,900 members of the public via a ‘call back’ form, which requested their name, date of birth, address and telephone number. This data was then stored within the CMS.
When it had contracted an IT company to build its website in 2007, it had decided against storing this data within the CMS, due to security concerns. But this was not properly communicated to the IT company, so the feature was built in anyway. BPAS had no knowledge it was collecting personal data in an unsecured manner.
The ICO said BPAS’s failure to properly secure its data and have contracts in place with IT partners about the requirements of the tools it commissioned was deeply concerning and merited a sizeable fine.
“BPAS failed to take appropriate technical and organisational measures against the unauthorised processing of personal data stored on the BPAS website,” it said in its report.
It also said the charity failed to carry out any security testing on its website, which could have brought the issues to light.
ICO deputy commissioner David Smith said the incident underlines the need for vigilance and respect towards data that is being collected and stored.
"BPAS didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure. But ignorance is no excuse," he said.
"It is especially unforgiveable when the organisation is handling information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."
BPAS chief executive Ann Furedi said the charity was “horrified” by the scale of the fine and would be appealing to the ICO.
"This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime," she said. "It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way."
The fine will be reduced to £160,000 if BPAS pays by the end of March