ACS:Law breach prompts ICO warning over data security

The ICO has highlighted companies' responsibilities in ensuring that individuals' private details are adequately secured, in the light of the recent ACS:Law data breach

The UK's information watchdog has emphasised the responsibility companies have to keep individuals' details private, in the wake of the ACS:Law's inadvertent leaking of thousands of alleged unlawful file-sharers' personal details.

On Tuesday, information commissioner Christopher Graham detailed the questions his office would be asking in its investigation of the leak, which could lead to a fine for ACS:Law of up to £500,000. His commentary on the matter came as further information about the security breach emerged, including the fact that online sharers of music, not just pornography, had their details exposed.

"There is a simple privacy point here: companies hold our information and they have got to keep it secure," Graham told the BBC. "The question we'll be asking is: how secure was the information? How was it so easily accessed from outside? We'll be asking questions about the adequacy of encryption of information, the firewall, the technology, but also the training in the company and what all that information was doing so public facing and so easily accessed, if that is what has happened."

Andrew Wyatt of software security firm Clearswift noted in a statement that "what's interesting about this particular investigation into data protection breaches is that the Information Commissioner has made it clear that even where a data breach is a result of a malicious cyberattack, this is not an adequate defence and serves as no excuse".

The data breach was not a direct result of the cyberattack on ACS:Law, although that distributed denial-of-service (DDoS) assault — the latest in a wave of tit-for-tat cyberattacks apparently being traded between elements of the pro- and anti-copyright communities — did expose the data. ACS:Law is one of several law firms that has sent thousands of letters to people accused by rights holders of infringing their copyright by sharing their material online. The letters said recipients would be taken to court if they did not pay hundreds of pounds to settle the matter.

After the online collective Anonymous brought down ACS:Law's website with a DDoS attack, the company seems to have briefly displayed its directory structure to those who tried to visit their website. Members of Anonymous saw the unencrypted email backups in one of the directories, copied the data and made it available through torrent sites such as The Pirate Bay.

As people sift through the ACS:Law files, more information about their contents has emerged. According to the BBC, the names, addresses and IP addresses of 8,000 Sky broadband and 400 PlusNet customers suspected of sharing music and films have been made public. This is on top of  5,000 other people suspected of sharing pornography.

The documents also contain personal emails between ACS:Law staff and alleged copyright infringers, including details of settlement payments, in some instances, other case notes.

"We applaud the ICO [Information Commissioner's Office] for taking this seriously," Privacy International's Alexander Hanff said in a statement on Tuesday. "We were assured by a senior member of the ICO yesterday morning that this was being passed straight on to their enforcement team and that the enforcement was treating it as a matter of urgency. We are currently working on a three-stage complaint for the ICO which will include a summary of complaints from victims, a list of people who fear they may be victims but don't know... and the primary complaint being the issue itself and how we feel that has breached the Data Protection Act."