The UK Information Commissioner’s Office announced that it has fined (pdf) the British Pregnancy Advice Service £200,000 “after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.”
An ICO investigation found the charity didn’t realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues. The personal data wasn’t stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the information.
The hacker threatened to publish the names of the individuals whose details he had accessed, though that was prevented after the information was recovered by the police following an injunction obtained by the BPAS. […]
The investigation found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.