The notorious solicitors firm ACS:Law
(Andrew Crossley), which makes its living by harassing UK broadband ISPs and their "suspected
" copyright file sharing (p2p) customers, has been hit by a serious Distributed Denial-of-Service
(DDoS) attack that left masses of confidential email communications exposed to the public.
It's understood that the website was the subject of a persistent attack by the 'Anonymous
' (4chan) activist group. The assault itself, which began earlier last week, was a coordinated action against multiple sites belonging to everybody from the Recording Industry Association of America
(RIAA) to another controversial law firm, Davenport Lyons
The DDoS assaults, which overload web servers with data and can thus cause them to become unusable, came in retaliation after it was revealed that the Motion Picture Association of America
(MPAA) had hired an Indian software firm - Aiplex Software
- to conduct similar attacks against P2P file sharing websites (e.g. The Pirate Bay).
ACS:Law, much like the other organisations involved, was eventually able to restore its website but inadvertently left an unencrypted backup file for visitors to download. As you might expect it promptly found its way onto BitTorrent
via The Pirate Bay
(p2p tracker) website.
Hundreds, possibly even thousands, of confidential personal details and once private email communications for ACS:Law
have been exposed. As supporters of personal privacy we have chosen not to link or directly quote any of the related communications, although much of the content has already found its way onto websites around the internet and it's not hard to find.
However the communications reveal many disturbing facts and also appear to confirm that ACS:Law
has preferred NOT TO TARGET two specific ISPs with demands for personal details, TalkTalk
and Virgin Media
UK. Both appear to be more trouble than they're worth for the law firm, which is after all centred on making money; that is also very much clear from the emails.
Furthermore the information also calls into question ACS:Law's P2P IP
data collection methods, which are used to gain related "evidence
" against suspected acts of internet copyright piracy.
ACS:Law's Andrew J. Crossley commented earlier this summer:
"It is said our data collected is inaccurate and cannot be relied on as sufficient evidence to pursue a claim. This is not true. The data suppliers we use have all separately and independently been assessed and monitored to determine their accuracy and integrity of data captured.
Reports by independent experts are produced and made available to court in advance of our application for disclosure and on each occasion so far the court has felt able to grant our applications, with these reports in mind. The only known and cited example of data being “wrong’ is that of the Murdochs (a Davenport Lyons
matter). In fact there was no error with the data captured, but an error by an ISP in giving the wrong name to the law firm."
However the leaked communications reveal that many cases were dropped after ACS:Law
accepted that the individuals they had targeted were probably innocent. In other cases the monitoring data, which had been collected by IP
monitoring company NG3Sys
, was deemed to have too many inconsistencies.
has sent out over 11,000 letters (past two years) to those they suspect of unlawful copyright file sharing, with more than 3,400 recipients choosing to dispute the claim and over 4,500 simply not bothering to respond. This suggests that approximately one third would have chosen to settle their claim and pay out hundreds of pounds to avoid the courts; not that any of the cases ever actually make it that far.
At the end of August 2010 the UK Solicitors Regulatory Authority
(SRA) chose to officially refer ACS:Law
to a Disciplinary Tribunal
over its practice of sending "bullying
" letters to those accused of having abused their broadband ISP connection for "illegal
" copyright file sharing (p2p) activity (original news
). Here's a bit more fuel for that fire.
It should be noted that launching a DDoS attack is illegal in the UK, punishable by up to ten years in prison, and many other countries have similar rules.UPDATE 10:28am
Some of the emails are also reported to contain sensitive financial details, such as credit card numbers.UPDATE 11:26am
Now Privacy International
(PI) are planning to take action over the breach of personal information - HERE
Elsewhere, this particular quote from the ACS:Law
emails could be taken as a useful piece of evidence to go after the firm on a criminal charge of attempting to obtain money by menacing. Some have claimed that, if charges are filed, it is the equivalent of US racketeering and extortion laws:
ACS:Law Leaked Email Quote:
"I think pursuing individual infringers' will "scare" them into paying up, more than what Lawdit or other representative would advise their client."
The SRA should take note.UPDATE 2:08pm
The Open Right Group
(ORG) has said that, as a result of the leak, the BPI (UK music trade body) should admit that their evidence is merely "circumstantial
Jim Killock, Executive Director of the Open Right Group, said:
themselves were not confident of their evidence. Looking at the arguments in the emails it is clear that IP
addresses are unlikely to "prove" copyright infringement and therefore avoid actual court cases.
The evidence is substantially the same as will be used under the DEA: that is, IP
addresses. Organisations such as the BPI have been arguing that the evidence is reliable. It is, however, merely circumstantial.
We call on the BPI to publicly admit that their 'evidence' is merely circumstantial and amend misleading statements on their website."
It's old news that IP
data is unreliable, which is one of the reasons why so few actual legal claims have even made it to court in the UK. The BPI have never appeared to acknowledge this and as a result we do not expect them to respond.UPDATE 28th September 2010
The latest information suggests that the email leak has exposed a list of more than 8,000 Sky Broadband
and 400 PlusNet
ISP subscribers. PlusNet
has informed affected customers. The leak has also revealed plans by ACS:Law
to abuse the Digital Economy Act 2010 (DEA) in order to make more money from file sharing suspects.
Jim Killock, Executive Director of the Open Rights Group, added:
"It's shocking that ACS:Law
are prepared to use the Digital Economy Act for their processes in future. And there is little to stop them. They could self-certify their evidence collecting process and send the data to ISPs.
The question is if Ofcom
will let us see these methods or will they allow calls of "commercial confidentiality" to keep parts of the processes closed from view?"
In one of the leaked emails an ACS:Law
lawyer is quoted as saying: "I have made sure that the requirements satisfy the requirements set out in OFCOM’s draft code of conduct,
" a veiled reference to the DEA.UPDATE 29th September 2010
Which? response to ACS Law's security breach.
Deborah Prince, Head of Legal Affairs, Which?, said:
"We are pleased to see that the Information Commissioner’s Office (ICO) is fully aware of this apparently serious breach of data protection law and we hope that it acts swiftly to investigate and use its enhanced powers to impose an appropriate sanction, if it finds that the law has been broken. Anyone affected by the disclosure should contact the ICO to add their voice to that investigation.
Anyone who has been wrongly accused of illegal file sharing by ACS Law can find advice on the Which?
Simon Jackson, Technical Manager, Websense:
"Data breaches are once again dominating the headlines. The cyber criminals responsible for this targeted attack on ACS:Law
realise the power of leaking a company’s confidential customer data to the outside world. But the question on everyone’s lips is surely ‘how did this happen, again?’
Nimble, flexible Data Loss Prevention (DLP) solutions now exist that enable a company to be protected without the lengthy deployment cycle and prohibitive costs of older, legacy systems. By taking active steps to trace inbound as well as outbound data leaks, and having the visibility of where important and valuable data sits, companies can mitigate the risk of exposure. Data loss is a costly experience not only in monetary terms (for the fines levied) but also in terms of negative impact on an organisation’s reputation. It appears that ACS:Law
will be fined, perhaps up to five hundred thousand pounds, for breaching the Data Protection Act. The loss of faith could perhaps be even greater."
We are also covering ISP feedback in a separate article HERE