The charity said it will appeal the verdict.
The Information Commissioner’s Office (ICO) has fined the British Pregnancy Advisory Service (BPAS) £200,000 following a data breach which revealed thousands of people’s details to a malicious hacker.
The ICO investigation found that the charity had failed to realise its website was storing the names, addresses, dates of birth and telephone numbers of people who asked for a call back for advice on pregnancy issues.
The personal data was not stored securely, and a vulnerability in the website’s code allowed the hacker to access the system and locate the information on 8 March 2012.
ICO said the hacker threatened to publish the names of the individuals whose details he had accessed, though that was prevented after the information was recovered by the police following an injunction obtained by the BPAS.
ICO Deputy Commissioner and Director of Data Protection David Smith said data protection is critical and getting it right requires vigilance.
"The British Pregnancy Advice Service didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure," Smith said.
"But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."
BPAS chief executive, Ann Furedi, said, "We accept that no hacker should have been able to steal our data but we are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do.
"This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime," Furedi said.
"It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way. We will be appealing the verdict of the Information Commissioner’s Office."