Privacy group takes on ACS:Law over porn data breach

Privacy group takes on ACS:Law over porn data breach

Summary: Privacy International has said the law firm is to blame for the theft of personal information relating to thousands of alleged file-sharers of pornographic material

SHARE:
TOPICS: Broadband, Security
7

ACS:Law, which has conducted a letter-writing campaign against people suspected of unlawful file-sharing, is facing legal action by Privacy International after those people's details were leaked during a security breach.

On Monday, Privacy International (PI) said that unencrypted emails stolen from ACS:Law included "vast amounts" of information on thousands of internet users. It noted that one report had claimed that a single email included the names, addresses, postcodes and IP addresses of around 10,000 people assumed to have been involved in file-sharing of pornographic works.

The breach of ACS:Law's systems occurred on Friday evening, while the systems were being subjected to a string of distributed denial-of-service (DDoS) attacks by the online collective Anonymous. However, the theft of the emails was only made possible by "poor server administration and a lack of suitable data protection and security technologies", according to PI.

Read this

ISPs attack 'misguided' site-blocking plan

A Liberal Democrat and Conservative amendment to the Digital Economy Bill has been 'rushed through', the ISP Association has said

Read more

PI said it had briefed the Information Commissioner's Office (ICO) about the breach and that it is preparing a complaint against ACS:Law.

"This data breach is likely to result in significant harm to tens of thousands of people in the form of fraud, identity theft and severe emotional distress," PI advisor Alexander Hanff said in the statement. "This firm collected this information by spying on internet users, and now it has placed thousands of innocent people at risk."

Anonymous's campaign began on Tuesday, when the group responded to an attack on the file-sharing website The Pirate Bay by launching a broadside against a variety of firms and organisations associated with the war on online copyright infringement.

The websites of the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) were the initial targets, followed by others, including ACS:Law and Davenport Lyons. The latter are British law firms currently under investigation by the Solicitors Regulation Authority over their letter-writing campaigns, which demand hundreds of pounds in exchange for not taking the recipient to court for their alleged copyright infringements.

Anonymous renewed its attack on ACS:Law on Friday after the company's top lawyer, Andrew Crossley, was quoted as saying he was less concerned about the first attack than he was about his train turning up late or having to queue for a coffee. As ACS:Law restored its website following this second assault, it inadvertently exposed a back-up of its emails. Someone from Anonymous then made these backups available through The Pirate Bay.

According to security company PandaLabs, leaders of the Anonymous group commented on the data theft, which included around three months' worth of emails. They said they had "a lot of stuff here to go through" and said "Payback is a bitch, isn't it Andrew?", a comment directed at Crossley, according to Panda.

PI's Hanff placed the responsibility for the breach solely at the door of ACS:Law.

"Anonymous are certainly guilty of carrying out a DDoS attack, but there's no evidence at all that they hacked the server," he told ZDNet UK. "ACS:Law should never have had those details on the web server in the first place."

Hanff denied that the privacy group's outrage over the breach was related to its opposition to ACS:Law and others who track down the IP addresses of suspected copyright infringers in order to target them with legal threats. "There's no bias here at all," he said.

Noting that he had seen some of the contents of the stolen emails, Hanff said: "As far as I'm concerned, my concern is purely with the victims of this, whose details have put them in an impossible situation — partly because the information was related to pornography, but from my understanding there are other details, such as pleading emails from parties who've been accused, and embarrassing information relating to internal emails between ACS:Law employees as to how they're handling it.

"I've never seen anything like it. ACS:Law's gathering of IP addresses is irrelevant — the consequences of this could be dire," he said.

The ICO responded to the situation by saying that it takes all breaches of the Data Protection Act very seriously.

"Any organisation processing personal data must ensure that it is kept safe and secure," the ICO said in a statement. "This is an important principle of the act. The ICO will be contacting ACS:Law to establish further facts of the case and to identify what action, if any, needs to be taken."

ACS:Law refused to comment on the situation other than to say it is still open for business. At the time of writing, its website was not live.

Topics: Broadband, Security

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • The data was not "stolen". It was placed in a publicly accessible folder and although this was probably an oversight it was not the result of criminal activity or determined hacking. The data was presented to the world on a plate.
    DosMashos
  • This whole fiasco is the fault of ACS law, no one else, the kept emails on an Internet server. This is gross incompetence not theft repeat NOT THEFT
    Lisalovelace
  • It certainly does not, at this point, seem to be a matter of hacking - I hope we did not give that impression, because I don't think we did.

    Over to PandaLabs' Sean-Paul Correll, who just emailed me: "I've spoken with Anonymous leaders and they said that they were able to retrieve the e-mail backup because the site displayed a directory listing briefly after coming back online during the attack. The e-mail backup archive was located in the public directory, which is a major security and privacy risk for all parties involved."
    David Meyer
  • Anonymous sounds no better than a bunch of thugs. Web sites are a form of speech or press and a DDOS is tantamount to censorship. Launching a DDOS against a site is like shouting "BLAH BLAH BLAH" to drown out a speaker -- childish.

    If Anonymous has a problem with a group, they should post their arguments where they can be discussed rationally.
    Pony99CA
  • To AnonymousSucks:
    If you'd done a bit more reading on this article, you would have discovered from these "leaked" emails, ACS:Law actually hired a company to DDoS attack Anonymous back. The company even openly admitted to this illegal activty. Is that "childish" enough for you?
    The "thugs" in this whole fiasco are th law firms who ae effectively bullying people, many of whom are totally innocent, into "paying up or else". They are using questionable methods to obtain people's private information, and then not taking the appropriate and legally enforcable measures to keep that information safe.
    The upshot of this is likely to be theat ACS:Law will end up bankrupt. The only downside to this is that Andrew Crossely will end up getting off scott free, opening up another law form and still bragg about "which car shoudl I get, a Lambo ro a Ferrari?" (He actually ended up with a Jeep - read the e-mails for yourself.)
    Hoggie-f2482
  • Your news report requires updating as the files posted on the internet also contain an additional list of 8040 names, addresses and further details of people that have been fined for downloading "music" too.
    anon2012-317b7
  • The more I read about ACS Law, their boss, and their methods of doing business, the more I smell a large rodent.
    Swalker401