Privacy group takes on ACS:Law over porn data breach

Summary:Privacy International has said the law firm is to blame for the theft of personal information relating to thousands of alleged file-sharers of pornographic material

ACS:Law, which has conducted a letter-writing campaign against people suspected of unlawful file-sharing, is facing legal action by Privacy International after those people's details were leaked during a security breach.

On Monday, Privacy International (PI) said that unencrypted emails stolen from ACS:Law included "vast amounts" of information on thousands of internet users. It noted that one report had claimed that a single email included the names, addresses, postcodes and IP addresses of around 10,000 people assumed to have been involved in file-sharing of pornographic works.

The breach of ACS:Law's systems occurred on Friday evening, while the systems were being subjected to a string of distributed denial-of-service (DDoS) attacks by the online collective Anonymous. However, the theft of the emails was only made possible by "poor server administration and a lack of suitable data protection and security technologies", according to PI.

PI said it had briefed the Information Commissioner's Office (ICO) about the breach and that it is preparing a complaint against ACS:Law.

"This data breach is likely to result in significant harm to tens of thousands of people in the form of fraud, identity theft and severe emotional distress," PI advisor Alexander Hanff said in the statement. "This firm collected this information by spying on internet users, and now it has placed thousands of innocent people at risk."

Anonymous's campaign began on Tuesday, when the group responded to an attack on the file-sharing website The Pirate Bay by launching a broadside against a variety of firms and organisations associated with the war on online copyright infringement.

The websites of the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) were the initial targets, followed by others, including ACS:Law and Davenport Lyons. The latter are British law firms currently under investigation by the Solicitors Regulation Authority over their letter-writing campaigns, which demand hundreds of pounds in exchange for not taking the recipient to court for their alleged copyright infringements.

Anonymous renewed its attack on ACS:Law on Friday after the company's top lawyer, Andrew Crossley, was quoted as saying he was less concerned about the first attack than he was about his train turning up late or having to queue for a coffee. As ACS:Law restored its website following this second assault, it inadvertently exposed a back-up of its emails. Someone from Anonymous then made these backups available through The Pirate Bay.

According to security company PandaLabs, leaders of the Anonymous group commented on the data theft, which included around three months' worth of emails. They said they had "a lot of stuff here to go through" and said "Payback is a bitch, isn't it Andrew?", a comment directed at Crossley, according to Panda.

PI's Hanff placed the responsibility for the breach solely at the door of ACS:Law.

"Anonymous are certainly guilty of carrying out a DDoS attack, but there's no evidence at all that they hacked the server," he told ZDNet UK. "ACS:Law should never have had those details on the web server in the first place."

Hanff denied that the privacy group's outrage over the breach was related to its opposition to ACS:Law and others who track down the IP addresses of suspected copyright infringers in order to target them with legal threats. "There's no bias here at all," he said.

Noting that he had seen some of the contents of the stolen emails, Hanff said: "As far as I'm concerned, my concern is purely with the victims of this, whose details have put them in an impossible situation — partly because the information was related to pornography, but from my understanding there are other details, such as pleading emails from parties who've been accused, and embarrassing information relating to internal emails between ACS:Law employees as to how they're handling it.

"I've never seen anything like it. ACS:Law's gathering of IP addresses is irrelevant — the consequences of this could be dire," he said.

The ICO responded to the situation by saying that it takes all breaches of the Data Protection Act very seriously.

"Any organisation processing personal data must ensure that it is kept safe and secure," the ICO said in a statement. "This is an important principle of the act. The ICO will be contacting ACS:Law to establish further facts of the case and to identify what action, if any, needs to be taken."

ACS:Law refused to comment on the situation other than to say it is still open for business. At the time of writing, its website was not live.

Topics: Broadband, Security

About

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't be paying many bills. His early journalistic career was spent in general news, working behind the scenes for BBC radio and on-air as a newsreader for independent stations. David's main focus is on communications, of both... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.