Bit of a theme running through this week’s news – this one’s about the British Pregnancy Advice Service being a bit cavalier with client’s contact details which were hacked (the hacker has already been sent to prison).
According to Naked Security,
“The cause of BPAS’ ignorance was the fact that, in 2007, it had used a third party IT company to develop an online appointment booking service. BPAS elected not to store user data in the CMS due to security concerns, but failed to adequately communicate this to the IT company, and the feature ended up being built in anyway.
The ICO investigation also found that the personal data was not stored securely.
Additionally, it was also found that BPAS had stored call back information for five years longer than was necessary for its purpose – a breach of the Data Protection Act.”
Particularly galling is that the BPAS is now complaining about being fined, because it is “the victim”. It is not the victim: the people whose personal details it failed to protect are the victims.