Monetary Fine for BPAS Security Error the 'Only Way to Change Behaviour'

A cyber-security expert has said the monetary fine handed down to the British Pregnancy Advice Service (BPAS) is the only way to change behaviour.

Last week, the Information Commissioner's Office (ICO) issued a monetary penalty at the BPAS.

Despite BPAS chief executive Ann Furedi saying to BBC News that the fine "seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime" and that as a charity this would affect its customers directly, the £200,000 fine was for a serious breach.

In 2012, the BPAS suffered an attack by a pro-life hacker who was opposed to the company's abortion advice. According to the ICO report, the attacker exploited a vulnerability in 2012 which revealed 9,900 names, dates of birth, addresses and telephone numbers that had been collected via a "call back" feature.

The BPAS, who offer services including contraceptive advice, abortion, counselling, STI screening, sterilisation, vasectomy and treatment for erectile dysfunction, collected the data unknowingly when it thought that a scaled down CMS function would only generate an email when users completed the 'call back web form'.

Failure

Instead the data was collected, and the ICO said that the BPAS failed to carry out appropriate security testing on the website which would have alerted them to the vulnerabilities that were present, and did not ensure that the underlying software supporting the website was kept up to date.

David Smith, deputy commissioner and director of data protection, said: "The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure.

"But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."

Not a surprise

TK Keanini, CTO of Lancope, said that he was excited to see a fine associated with this event because it is unfortunately the only way to change behaviour. "While the insecure storage of the data was a poor design, the security of the public website system itself is more important because even if there were no data being stored, attackers would have compromised the system and turned it into a 'watering-hole' attack."

Likewise, Calum MacLeod, VP of EMEA at Lieberman Software Corporation, said that the fine was not a surprise, and he felt sympathy for them as they are never going to be able to attract top IT staff and with their limited resources, and will often have to outsource services such as website development.

"What this shows is that great care needs to be taken when doing this type of work. If you don't have the staff that can do proper penetration testing on applications such as websites, then you are serious risk of a breach. There are so many risk areas associated with websites, that makes professional testing essential."

Third parties

The issue is that the BPAS assumed that the third party would deal with the issues and working to a brief, it seems that there is blame to be laid but the third party were only working to a brief. As has been researched in the past, third parties will not face the blame as the ICO said that "making individuals or other contractors responsible for data breaches would require the law to be changed, which would be a matter for the government to consider".

There is a case of fairness and sympathy will be with the BPAS in having to pay such a heavy fine, but from the security industry there will be confusion as to how such a privacy flaw existed for so long, and how it was not able to detect the mass collection of personal information. A case exists for regular resting and security evalution.

Dan Raywood is editor of IT Security Guru.