The response to an attack on BPAS

British Pregnancy Advice Service

  • pregnancy, abortion, advice etc.


  • site was due for renewal at the time
  • thought that had made clear to dev to not hold sensitive information (but this hadn’t been communicated to the contractor
  • hired someone who didn’t have the skills to build the CMS they needed
  • Contact form:
    • Supposed to only send an email, not to store the data
    • This built up over 6 years (9000 html pages), but relatively small
  • Server monitoring was good - just the site was bad
  • Nobody believed it had anything sensitive on it, so the security wasn’t given significant attention


  • Hacked by anonymous - anti-abortion defacement
    • SQLi
    • Malware to allow them back in
    • Posted that he was holding sensitive info about BPAS info
  • Source control helped to identify the files changed by the attacker
  • He seemed to have been using an evaluation copy of the hack software which didn’t mask his IP


  • Fast injunction on the data (12 hrs)
  • Took down server and republished
  • Reported to Met Police
    • Arrested within 24h
    • Prosecuted - 32mo inside
  • Report to ICO


  • Large increase in hack attempts after the news story
    • incl Low Orbit Ion Cannon
  • Investigation took 2 years
    • No visit to BPAS from ICO
  • Hard to find records about original sites
  • No hard evidence that they had communicated to the contractor that no personal data should be stored
  • Fine £250,000
  • Ignorance is no excuse: ICO said that they should have known
  • They assumed that they were not under investigation. Should have gotten Lawyers involved earlier
  • The negative publicity and misunderstandings were quite damaging to the organisation


  • Actual attack was negligible
  • Bad publicity was significant
  • Anxiety for clients
  • Site down for 3 days
  • Follow-on attacks put IT contractor relationship at risk
  • The fine was from charitable funds


  • Most leaks are a result of data sent to the wrong person - actual attacks are pretty rare