It was a concerted attempt to hack the servers of copyright enforcement firm ACS:Law that lead to the disclosure of thousands of personal details on the internet last month. Would-be illegal file sharers allegedly plotted this revenge attack, which exposed an email list with attachments that contained unencrypted personal user data. However, the victim soon became the accused .

The article below provides some of the reaction to these events including the threat of record fines against the firm. But as you read it, ask yourself what measures you have in place to prevent your own organisation falling foul of similar tactics.
 

The firm behind the leak of the personal details of thousands of Sky broadband customers, could face a fine of half a million pounds, the UK's Information Commissioner (ICO) has said.

The list which was produced by ACS:Law revealed the names and addresses of more than 5,300 people who were allegedly sharing adult films illegally online. The list was made public when it was published on the internet after an attack on the company's website.

Expert reaction

Christopher Graham told The Independent that ACS:Law were facing a number of questions.

"The question we will be asking is how secure was this information and how it was so easily accessed from outside. We'll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing."

"The Information Commissioner has significant power to take action and I can levy fine of up to half a million pounds on companies that flout the Data Protection Act," he added.

As reported by the BBC, ACS:Law made a business out of sending letters to alleged net pirates telling them to pay compensation of around £500 per infringement or face court action.

The company used third party firms to scour the internet looking for possible infringements of music and film copyright. After identifying the users IP address, their lawyers could then apply for a court order enabling them to obtain the physical address of the PC from the service provider whose network had allegedly been file sharing.

Privacy expert Simon Davis said the leak was "one of the worst breaches" of the Data Protection Act (DPA) he had ever seen.
 

Mike Orton Technical Director at Delta Comtech says “Interestingly BT managed to get itself embroiled in this story. Investigations have revealed that a BT lawyer, acting as instructed by a court order, emailed personal information to ACS:Law, but failed to use any form of encryption - a clear and immediate breach of the Data Protection Act.

ACS:Law has attempted to use the defence that it was the victim of a criminal action. The Information Commissioner has responded that companies handling sensitive information must expect to be the targeted and take appropriate measures (including technical aspects, but also staff training) to ensure that data is secured.

If you are concerned about your companies data security then please give us a ring on the number below and we will arrange a full security review.”