By: MarkJ - 27 September, 2010 (6:29 AM)
acs law uk internet ddos 4chanThe notorious solicitors firm ACS:Law (Andrew Crossley), which makes its living by harassing UK broadband ISPs and their "suspected" copyright file sharing (p2p) customers, has been hit by a serious Distributed Denial-of-Service (DDoS) attack that left masses of confidential email communications exposed to the public.

It's understood that the website was the subject of a persistent attack by the 'Anonymous' (4chan) activist group. The assault itself, which began earlier last week, was a coordinated action against multiple sites belonging to everybody from the Recording Industry Association of America (RIAA) to another controversial law firm, Davenport Lyons.

The DDoS assaults, which overload web servers with data and can thus cause them to become unusable, came in retaliation after it was revealed that the Motion Picture Association of America (MPAA) had hired an Indian software firm - Aiplex Software - to conduct similar attacks against P2P file sharing websites (e.g. The Pirate Bay).

ACS:Law, much like the other organisations involved, was eventually able to restore its website but inadvertently left an unencrypted backup file for visitors to download. As you might expect it promptly found its way onto BitTorrent via The Pirate Bay (p2p tracker) website.

Hundreds, possibly even thousands, of confidential personal details and once private email communications for ACS:Law have been exposed. As supporters of personal privacy we have chosen not to link or directly quote any of the related communications, although much of the content has already found its way onto websites around the internet and it's not hard to find.

However the communications reveal many disturbing facts and also appear to confirm that ACS:Law has preferred NOT TO TARGET two specific ISPs with demands for personal details, TalkTalk and Virgin Media UK. Both appear to be more trouble than they're worth for the law firm, which is after all centred on making money; that is also very much clear from the emails.

Furthermore the information also calls into question ACS:Law's P2P IP data collection methods, which are used to gain related "evidence" against suspected acts of internet copyright piracy.

ACS:Law's Andrew J. Crossley commented earlier this summer:

"It is said our data collected is inaccurate and cannot be relied on as sufficient evidence to pursue a claim. This is not true. The data suppliers we use have all separately and independently been assessed and monitored to determine their accuracy and integrity of data captured.

Reports by independent experts are produced and made available to court in advance of our application for disclosure and on each occasion so far the court has felt able to grant our applications, with these reports in mind. The only known and cited example of data being “wrong’ is that of the Murdochs (a Davenport Lyons matter). In fact there was no error with the data captured, but an error by an ISP in giving the wrong name to the law firm."

However the leaked communications reveal that many cases were dropped after ACS:Law accepted that the individuals they had targeted were probably innocent. In other cases the monitoring data, which had been collected by IP monitoring company NG3Sys, was deemed to have too many inconsistencies.

Apparently ACS:Law has sent out over 11,000 letters (past two years) to those they suspect of unlawful copyright file sharing, with more than 3,400 recipients choosing to dispute the claim and over 4,500 simply not bothering to respond. This suggests that approximately one third would have chosen to settle their claim and pay out hundreds of pounds to avoid the courts; not that any of the cases ever actually make it that far.

At the end of August 2010 the UK Solicitors Regulatory Authority (SRA) chose to officially refer ACS:Law to a Disciplinary Tribunal over its practice of sending "bullying" letters to those accused of having abused their broadband ISP connection for "illegal" copyright file sharing (p2p) activity (original news). Here's a bit more fuel for that fire.

It should be noted that launching a DDoS attack is illegal in the UK, punishable by up to ten years in prison, and many other countries have similar rules.

UPDATE 10:28am

Some of the emails are also reported to contain sensitive financial details, such as credit card numbers.

UPDATE 11:26am

Now Privacy International (PI) are planning to take action over the breach of personal information - HERE.

Elsewhere, this particular quote from the ACS:Law emails could be taken as a useful piece of evidence to go after the firm on a criminal charge of attempting to obtain money by menacing. Some have claimed that, if charges are filed, it is the equivalent of US racketeering and extortion laws:

ACS:Law Leaked Email Quote:

"I think pursuing individual infringers' will "scare" them into paying up, more than what Lawdit or other representative would advise their client."

The SRA should take note.

UPDATE 2:08pm

The Open Right Group (ORG) has said that, as a result of the leak, the BPI (UK music trade body) should admit that their evidence is merely "circumstantial".

Jim Killock, Executive Director of the Open Right Group, said:

"Even ACS:Law themselves were not confident of their evidence. Looking at the arguments in the emails it is clear that IP addresses are unlikely to "prove" copyright infringement and therefore avoid actual court cases.

The evidence is substantially the same as will be used under the DEA: that is, IP addresses. Organisations such as the BPI have been arguing that the evidence is reliable. It is, however, merely circumstantial.

We call on the BPI to publicly admit that their 'evidence' is merely circumstantial and amend misleading statements on their website."

It's old news that IP data is unreliable, which is one of the reasons why so few actual legal claims have even made it to court in the UK. The BPI have never appeared to acknowledge this and as a result we do not expect them to respond.

UPDATE 28th September 2010

The latest information suggests that the email leak has exposed a list of more than 8,000 Sky Broadband and 400 PlusNet ISP subscribers. PlusNet has informed affected customers. The leak has also revealed plans by ACS:Law to abuse the Digital Economy Act 2010 (DEA) in order to make more money from file sharing suspects.

Jim Killock, Executive Director of the Open Rights Group, added:

"It's shocking that ACS:Law are prepared to use the Digital Economy Act for their processes in future. And there is little to stop them. They could self-certify their evidence collecting process and send the data to ISPs.

The question is if Ofcom will let us see these methods or will they allow calls of "commercial confidentiality" to keep parts of the processes closed from view?"

In one of the leaked emails an ACS:Law lawyer is quoted as saying: "I have made sure that the requirements satisfy the requirements set out in OFCOM’s draft code of conduct," a veiled reference to the DEA.

UPDATE 29th September 2010

Which? response to ACS Law's security breach.

Deborah Prince, Head of Legal Affairs, Which?, said:

"We are pleased to see that the Information Commissioner’s Office (ICO) is fully aware of this apparently serious breach of data protection law and we hope that it acts swiftly to investigate and use its enhanced powers to impose an appropriate sanction, if it finds that the law has been broken. Anyone affected by the disclosure should contact the ICO to add their voice to that investigation.

Anyone who has been wrongly accused of illegal file sharing by ACS Law can find advice on the Which? website."

Simon Jackson, Technical Manager, Websense:

"Data breaches are once again dominating the headlines. The cyber criminals responsible for this targeted attack on ACS:Law realise the power of leaking a company’s confidential customer data to the outside world. But the question on everyone’s lips is surely ‘how did this happen, again?’

Nimble, flexible Data Loss Prevention (DLP) solutions now exist that enable a company to be protected without the lengthy deployment cycle and prohibitive costs of older, legacy systems. By taking active steps to trace inbound as well as outbound data leaks, and having the visibility of where important and valuable data sits, companies can mitigate the risk of exposure. Data loss is a costly experience not only in monetary terms (for the fines levied) but also in terms of negative impact on an organisation’s reputation. It appears that ACS:Law will be fined, perhaps up to five hundred thousand pounds, for breaching the Data Protection Act. The loss of faith could perhaps be even greater."

We are also covering ISP feedback in a separate article HERE.
Share: Slash., Stumble, Facebook, Digg, Blink, Reddit, Delicious, Diigo
Option: Link | Search

Comments: 13

asa logoLegolash2o
Posted: 27 September, 2010 - 7:22 AM
Link to comment

"Motion Picture Association of America (MPAA) had hired an Indian software firm - Aiplex Software - to conduct similar attacks against P2P file sharing websites (e.g. The Pirate Bay)."

Would that mean they are breaking the law as well???
asa logoLegolash2o
Posted: 27 September, 2010 - 7:24 AM
Link to comment

Done some digging and it was actually "ebaumsworld.com" that did the attack.

"Yes, we here at ebaumsworld.com have very strong opinions against the anti-piracy movements. We feel the “attacks” were justified in order to voice our side, and thus we take responsibility for these actions. In no way was the website 4chan.org involved.
asa logoSomeone
Posted: 27 September, 2010 - 7:31 AM
Link to comment

I don't think anyone would support a DDoS attack, but lets be honest this breach came about after that attack and just goes to show the lax attitude to the data gathering process and the security of data in general.

Plenty of other sites where hit by these attacks yet none of them suffered this type of catastrophic breach or decided to have an entire unencrypted backup of all their email on a server which was open to the public.
asa logoSomeone
Posted: 27 September, 2010 - 7:43 AM
Link to comment

When looking into this story there are extracts from the SRA documents posted on forums which show a number of companies in the UK looking to get involved in this sorry saga despite there being better approaches and it has now been shown the inconsitancies in the data gathering process.
asa logoSomeone
Posted: 27 September, 2010 - 7:59 AM
Link to comment

Reading on the forums, one persons case was dropped because the totally acurate software which can't be wrong and never lies said he was using a version of a bit torrent client which wasn't released until four months after the supposed offence had taken place confused. And that's just the reporting of what client is supposed to be being used.
asa logotimeless
Posted: 27 September, 2010 - 8:27 AM
Link to comment

wonder if this will affect the DEA, after all its common knowledge that IPs are not a proper way to pin point users..
asa logoMarkJ
Posted: 27 September, 2010 - 9:50 AM
Link to comment

It's common knowledge and yet the DEA has not been affected, so if it does have any kind of real constructive impact on that legislation then I for one would be very surprised. The government simply does not understand the internet, only a very few cross-party MP's really "GET" I.T.
asa logoLouis
Posted: 27 September, 2010 - 10:14 AM
Link to comment

I am glad you are reporting this correctly.
Some sites are saying the email servers were hacked.
asa logoLoll
Posted: 28 September, 2010 - 9:45 PM
Link to comment

Perhaps everyone should write letters to ACS Legal accusing them of 'suspected' breach of the data protection act just like their letters to innocent people for 'suspected' breach of the copy right law.
asa logoLupe22Porter
Posted: 10 July, 2011 - 3:25 AM
Link to comment

Every body remembers that today's life is not very cheap, however some people need money for various issues and not every person earns big sums money. Therefore to get good <a href="http://bestfinance-blog.com/topics/business-loans">business loans</a> and just bank loan would be a right solution.
asa logoshopping
Posted: 29 September, 2011 - 9:30 AM
Link to comment

<a href="http://www.sale-ghd-chi.com "> ghd hair straighteners </a> &#65307;
<a href="http://www.dressr.com "> Wholesale Evening Dresses </a> &#65307;
<a href=" http://24ghd.com "> ghd australia shop </a>&#65307;
<a href=" http://www.tobuylv.com "> replica handbags </a>&#65307;
<a href=" http://www.au-ghdshop.com "> ghd shop </a> &#12290;
asa logoshopping
Posted: 3 October, 2011 - 9:38 AM
Link to comment

<a href="http://www.sale-ghd-chi.com "> ghd hair straighteners </a> &#65307;
<a href="http://www.dressr.com "> Wholesale Evening Dresses </a> &#65307;
<a href=" http://24ghd.com "> ghd australia shop </a>&#65307;
<a href=" http://www.tobuylv.com "> replica handbags </a>&#65307;
<a href=" http://www.au-ghdshop.com "> ghd shop </a> &#12290;
asa logoshopping
Posted: 5 October, 2011 - 6:50 AM
Link to comment

<a href="http://www.sale-ghd-chi.com "> ghd hair straighteners </a> &#65307;
<a href="http://www.dressr.com "> Wholesale Evening Dresses </a> &#65307;
<a href=" http://24ghd.com "> ghd australia shop </a>&#65307;
<a href=" http://www.tobuylv.com "> replica handbags </a>&#65307;
<a href=" http://www.au-ghdshop.com "> ghd shop </a> &#12290;



Generated in 0.22026 seconds.
DB queries: 8

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved (Terms, Privacy Policy, Links (.), Live Chat & Website Rules).