Several broadband ISPs, including Sky Broadband , TalkTalk and Timico UK, have now given their reactions to the recent ACS:Law (Andrew Crossley) email leak. The notorious solicitors firm found its dirty email laundry strewn all over the internet at the end of last week after a botched attempt to restore their website (here).The firm made its living by harassing internet providers and their "suspected" copyright file sharing (p2p) customers, yet failed to properly secure the details. As a result the leak also exposed personal information for thousands of suspected "illegal" UK file sharers, including names, addresses and in some cases even financial details.
ACS:Law's situation is now so bad that they could be facing a fine of up to £500,000 (unlikely to be that high) from the Information Commissioner's Office (ICO) - HERE. Sadly the leak also revealed that many ISPs failed to put up much of a fight in defending their customers against ACS:Law, which used IP "evidence" that they knew to be flawed.
The Executive Director of Strategy and Regulation at TalkTalk UK, Andrew Heaney, said:
"TalkTalk has never given any customer details to ACS:Law or any other law firm working on this basis, so our customers will not be affected by this breach.
It’s a stark reminder of the dangers of giving out customer details to third parties in trying to combat filesharing. While we do not condone illegal filesharing, we have consistently argued for better ways of combating copyright theft. Handing over customer details to law firms to seek ‘compensation’, based on accusations from rightsholders, is not the answer.
Tracking down illegal filesharers is complex and the current approach isn’t working. The first problem is around detection: if you can only see what’s being downloaded at each connection, how do you know which of the several users has actually infringed copyright?
Secondly, we’ve demonstrated before how it’s possible for connections to be hacked by serial filesharers. Again, this can result in false accusations being made against subscribers and is the key reason why we’ve refused to hand over our customers’ details to ACS:Law or any other law firm working in this way."
"TalkTalk has never given any customer details to ACS:Law or any other law firm working on this basis, so our customers will not be affected by this breach.
It’s a stark reminder of the dangers of giving out customer details to third parties in trying to combat filesharing. While we do not condone illegal filesharing, we have consistently argued for better ways of combating copyright theft. Handing over customer details to law firms to seek ‘compensation’, based on accusations from rightsholders, is not the answer.
Tracking down illegal filesharers is complex and the current approach isn’t working. The first problem is around detection: if you can only see what’s being downloaded at each connection, how do you know which of the several users has actually infringed copyright?
Secondly, we’ve demonstrated before how it’s possible for connections to be hacked by serial filesharers. Again, this can result in false accusations being made against subscribers and is the key reason why we’ve refused to hand over our customers’ details to ACS:Law or any other law firm working in this way."
The Chief Technology Officer for Timico UK, Trefor Davies, said:
"£636,758.22 is apparently the amount of money ACS Law claim to have made out of hounding broadband subscribers for payment for “alleged” Copyright Infringement.
Based on a commission of 30%, £191,027.47 is what the firm would have made out of these unsavoury antics. £500,000.00 is the fine that ACS Law could be hit with for revealing their victims’ details on their website.
It is easy to see why ACS Law wanted to keep going after its victims. Shed no tears. Feel compassion for the many people whose lives have been affected by ACS Law. I wonder whether the firm will survive."
"£636,758.22 is apparently the amount of money ACS Law claim to have made out of hounding broadband subscribers for payment for “alleged” Copyright Infringement.
Based on a commission of 30%, £191,027.47 is what the firm would have made out of these unsavoury antics. £500,000.00 is the fine that ACS Law could be hit with for revealing their victims’ details on their website.
It is easy to see why ACS Law wanted to keep going after its victims. Shed no tears. Feel compassion for the many people whose lives have been affected by ACS Law. I wonder whether the firm will survive."
Outside of the potential for a huge fine and massive media flogging, ACS:Law could also now find it hard to gain much, if any, cooperation from ISPs in the future.
A Statement from Sky Broadband said:
"Following recent events, we have suspended all cooperation with ACS:Law with immediate effect. This suspension will remain in place until ACS:Law demonstrates adequate measures to protect the security of personal information.
We continue to be very concerned at the apparent loss of data held by ACS:Law and by the actions of those who have sought to publicise the identities of individual customers. Like other broadband providers, Sky can be required to disclose information about customers whose accounts are alleged to have been used for illegal downloading. We support the principle that copyright material should be protected and we cooperate with court orders requiring disclosure.
Because the security of customer information is also a high priority, we only ever disclose such data in encrypted form. In addition, we have an agreement with ACS:Law that requires data to be stored and used safely and securely."
"Following recent events, we have suspended all cooperation with ACS:Law with immediate effect. This suspension will remain in place until ACS:Law demonstrates adequate measures to protect the security of personal information.
We continue to be very concerned at the apparent loss of data held by ACS:Law and by the actions of those who have sought to publicise the identities of individual customers. Like other broadband providers, Sky can be required to disclose information about customers whose accounts are alleged to have been used for illegal downloading. We support the principle that copyright material should be protected and we cooperate with court orders requiring disclosure.
Because the security of customer information is also a high priority, we only ever disclose such data in encrypted form. In addition, we have an agreement with ACS:Law that requires data to be stored and used safely and securely."
A PlusNet Statement to The Guardian said:
"Our first concern is with our customers but we have been obliged to respond to court orders requiring that we disclose customer data. However, there is increasing evidence that there are deep concerns regarding the integrity of the process being used by rights holders to obtain customer data from ISPs for pursuing alleged copyright infringements.
We need to have further confidence that the initial information gathered by rights holders is robust and that our customers will not be treated unfairly. We are urgently exploring how this can be assured, including through the assistance of the courts."
"Our first concern is with our customers but we have been obliged to respond to court orders requiring that we disclose customer data. However, there is increasing evidence that there are deep concerns regarding the integrity of the process being used by rights holders to obtain customer data from ISPs for pursuing alleged copyright infringements.
We need to have further confidence that the initial information gathered by rights holders is robust and that our customers will not be treated unfairly. We are urgently exploring how this can be assured, including through the assistance of the courts."
ACS:Law's leak also revealed that the firm deliberately avoided targeting two ISPs, TalkTalk and Virgin Media UK, both of which were apparently too much trouble. No customer details for either were found in the leak. However ACS:Law did send letters to several Virgin Media customers in 2009 and it would be wrong to assume that they are both "safe" ISPs.
Sadly we do not anticipate that the government or Ofcom will take any notice of the huge flaws in P2P / IP tracking methods that have been exposed by this leak, and which will also be used by the Digital Economy Act 2010 (DEA). Neither MP's nor Rights Holders appear to understand how the internet works or comprehend the huge holes in the data that they propose to use.
We will add more comments as they come in.
UPDATE 9:06am
More feedback from our inbox.
John Iball, Senior Security Product Manager at Business ISP Star UK, said:
"ACS:Law could face a £500k fine by the ICO following the DDOS attack which saw a list of email addresses of Sky Broadband customers being leaked. The compromised backup file contained around 1,000 confidential emails and attachments between the owner and employees of ACS:Law, detailing private company information. Whilst details of the loss are still emerging, there are lessons to be learnt from this incident.
Perhaps we are so accustomed to email in our business lives, that employees neglect to distinguish between regular business email and highly-confidential personal or company information. However, by having a plan of Policy and Education in place, supported by Technology to enforce protocol, businesses can communicate to staff and customers alike how seriously it regards the security of data, as well as employees’ wellbeing."
"ACS:Law could face a £500k fine by the ICO following the DDOS attack which saw a list of email addresses of Sky Broadband customers being leaked. The compromised backup file contained around 1,000 confidential emails and attachments between the owner and employees of ACS:Law, detailing private company information. Whilst details of the loss are still emerging, there are lessons to be learnt from this incident.
Perhaps we are so accustomed to email in our business lives, that employees neglect to distinguish between regular business email and highly-confidential personal or company information. However, by having a plan of Policy and Education in place, supported by Technology to enforce protocol, businesses can communicate to staff and customers alike how seriously it regards the security of data, as well as employees’ wellbeing."
UPDATE 1:05pm
Thanks to one of our readers for forwarding a reply they had from UK ISP Demon Internet (THUS Group).
A Demon Spokesperson said:
"We only give out customer details if required to do so by law. Given the recent issues that have arisen with ACS:Law, I doubt they'll be in a position to request any details.
If they are, then we would challenge them on the basis of security of our customer details - but don't forget the only way they would have access to our data would be via a Court Order, and they would have to convince a judge that they have good reason to request access to our customer data.
We would hope that the judge would take the recent issue into consideration before granting the Order."
"We only give out customer details if required to do so by law. Given the recent issues that have arisen with ACS:Law, I doubt they'll be in a position to request any details.
If they are, then we would challenge them on the basis of security of our customer details - but don't forget the only way they would have access to our data would be via a Court Order, and they would have to convince a judge that they have good reason to request access to our customer data.
We would hope that the judge would take the recent issue into consideration before granting the Order."
UPDATE 30th September 2010
Here's a full reply from the Chief Operating Officer (COO) of ISP PlusNet UK, Richard Fletcher.
PlusNet's COO, Richard Fletcher, said:
"Firstly, we would like to apologise again to customers affected by the leak of data from ACS Law. We can confirm that we did send unencrypted data to ACS Law. However, this was not the cause of the leak. At a later date, due to a cyber-attack on the systems of the law firm, data that it held was leaked. We are extremely angry with ACS Law for allowing this to happen.
We would like to re-iterate that we have contacted all the affected customers via email. However, if you haven’t received an email from us and you have previously received a letter from ACS Law in relation to Plusnet, then please raise a ticket via our Help Assistant .
As a result of the incident at ACS Law, Plusnet will be providing all affected customers with an Identity Protection Service, including internet security software, free of charge for the next 12 months. We will contact customers directly regarding this over the coming days.
We are investigating how we came to be sending unencrypted data as we have robust systems for managing data. We have already ensured that this type of incident will not happen again, launched an internal enquiry and we have alerted the Information Commissioner’s Office (ICO). We will work with the ICO to clarify our position.
As we stated yesterday we are no longer co-operating with ACS Law over the provision of information and can confirm that we are reviewing our position in relation to these requests in general. Due to serious concerns about the integrity of the process that is being used by rights holders, we will resist efforts to share more customer details with them and those acting on their behalf until we can be sure that alleged copyright infringements have some basis and customers are treated fairly."
"Firstly, we would like to apologise again to customers affected by the leak of data from ACS Law. We can confirm that we did send unencrypted data to ACS Law. However, this was not the cause of the leak. At a later date, due to a cyber-attack on the systems of the law firm, data that it held was leaked. We are extremely angry with ACS Law for allowing this to happen.
We would like to re-iterate that we have contacted all the affected customers via email. However, if you haven’t received an email from us and you have previously received a letter from ACS Law in relation to Plusnet, then please raise a ticket via our Help Assistant .
As a result of the incident at ACS Law, Plusnet will be providing all affected customers with an Identity Protection Service, including internet security software, free of charge for the next 12 months. We will contact customers directly regarding this over the coming days.
We are investigating how we came to be sending unencrypted data as we have robust systems for managing data. We have already ensured that this type of incident will not happen again, launched an internal enquiry and we have alerted the Information Commissioner’s Office (ICO). We will work with the ICO to clarify our position.
As we stated yesterday we are no longer co-operating with ACS Law over the provision of information and can confirm that we are reviewing our position in relation to these requests in general. Due to serious concerns about the integrity of the process that is being used by rights holders, we will resist efforts to share more customer details with them and those acting on their behalf until we can be sure that alleged copyright infringements have some basis and customers are treated fairly."
It should be noted that BT owns PlusNet and has taken some of the responsibility for this, despite the court order specifically requesting that the data be sent in a secure "encrypted" form.
UPDATE 4th October 2010
Statement from ISP Be Broadband UK.
BE's Head of Member Services, Louise Kirlew, said:
"Sorry for the delay in replying to this. We are aware of the widely reported data breach related to the ACS website.
When required to do so by law, we do disclose BE members’ data to third parties such as ACS Law. We take sensible precautions when disclosing such data and it is transferred to them using encrypted and password protected files.
As a result of this publicised breach we’ve written to ACS Law to establish precisely what has happened, including what steps they intend to take to remedy the breach and to encourage them to report this matter to the Information Commissioner’s Office. We’ve also written separately to the ICO.
We are following up these inquiries at the moment and will let any affected members know as soon as we have further helpful information."
"Sorry for the delay in replying to this. We are aware of the widely reported data breach related to the ACS website.
When required to do so by law, we do disclose BE members’ data to third parties such as ACS Law. We take sensible precautions when disclosing such data and it is transferred to them using encrypted and password protected files.
As a result of this publicised breach we’ve written to ACS Law to establish precisely what has happened, including what steps they intend to take to remedy the breach and to encourage them to report this matter to the Information Commissioner’s Office. We’ve also written separately to the ICO.
We are following up these inquiries at the moment and will let any affected members know as soon as we have further helpful information."
UPDATE 7th October 2010
Small UK ISP XILO has now said that: "We will defend our customers rights on such claims when they arise as an IP cannot directly identify [the responsible individual]. We've never handed information out to ACS:Law, so we can be 100% certain our customers are safe."
Tweet
Comments: 15
PetePosted: 29 September, 2010 - 9:49 AM
Link to comment
The root cause is the failure by ISPs like BT to encrypt the data they provided to ACS:Law, in defiance of a court order which instructed them to do so.
The court order said; "Such disclosure shall be in an editable electronic text format by way of Microsoft Excel file saved in an encrypted form to a compact disk, or any other digital media".
BT have since admitted; "In answer to the question … about whether we sent out customer details in unencrypted files, I can confirm that this did happen".
By ignoring the court's explicit instruction to encrypt this information, BT (and other ISPs) set this fiasco in motion.
stevenPosted: 29 September, 2010 - 10:37 AM
Link to comment
My sky router developed a fault in January, and due to the lack of technical support available from sky I eventually fixed it by my self by disabling the encryption, I thought who needs it, anyway?
I then get a letter this month from acs law demanding 600 pounds. Thankfully I know they can't demand that money off me because I didn't share that film or give anyone else that permission, plus it might not have even happend over my up but via something called up spoofing.
There are many innocent people being accused of file sharing, and though Acs law are largely to blame, isps like sky who give poor support are also to blame...
Steve Lawson - Editor For Hellmail Postal NewsPosted: 29 September, 2010 - 10:57 AM
Link to comment
Allowing an apparent free-for-all, picking off IP addresses supplied by monitoring services (that increasingly are being regarded as flawed in terms of actually picking out individual file-sharers) will open the flood-gates to back-street debt collection start-ups, simply in it to make some easy money.
Shiny the brass plaque outside might be, but the essence of what ACS:Law does is no less distasteful, and in a difficult economy, this is likely to be the norm, with companies suing for anything they can get away with just to fuel their Ferraris. The government should have dealt with all this in the Digital Economy Bill and the ambulance chasing file-sharing bonanza brought to a complete stop, and certainly for a single mum having to find £700 because her 12 year old downloaded some obscure music track. How does THAT solve anything?
Carrot63Posted: 29 September, 2010 - 11:07 AM
Link to comment
If the 19th Century practice of shipping people to Australia for stealing a loaf of bread has a 21st century equivalent, this little scam has to be it.
With little in the way of due process, it seems John Majors "return to Victorian values" came to pass after all.
Juliette_mscPosted: 29 September, 2010 - 11:33 AM
Link to comment
This news continues to highlight how oraganisations are not protecting theirs and their customers' information effectively. Whilst Mr Crossley to a certain extent had it coming, the thousands of innocent users, some who have already been forced to pay fines, are now further at risk. I have written a blog on the issue here: bit.ly/bzWweH
SpidermanPosted: 29 September, 2010 - 1:13 PM
Link to comment
Any ISP need to ensure that all the data will be safe and secure before pass it to a third party, rogue trader like ACS Law Solicitors. BskyB did not contest it to ACS Law despite knowing that ACS Law has very bad reputation exposed by BBC, Watchdog, Which consumer guide and Lord Lucus, Locus House of Lord. Sky alos did not make it clear what sort os relationship between sky and ACS LAW. Talk Talk and virgin media contested ACS Law and denied to hand over public data. Why SKY did not contest it like other despite knowing that ACS Law has millions of public opponets ans subjet to cyber attact any time.
I think Sky also should be held resposible along with ACS Law. Both destroyed innocent British citizens privacy. BSKYB need to make it clear what sort of relationship they had with ACS Law.
AnonPosted: 29 September, 2010 - 1:19 PM
Link to comment
Looks like ACS also represent indivduals as well. Googled ACS on the Sky website and got this link. Nothing about them screwing over their customers.
http://news.sky.com/skynews/Home/World-News/Dubai-Sex-On-The-Beach-Briton-Vince-Acors-Should-Be-Home-For-Christmas
-Says-His-Lawyer/Article/200812115169725?lid=ARTICLE_15169725_DubaiSexOnTheBeachBritonVinceAcor
sShouldBeHomeForChristmas,SaysHisLawyer&lpos=searchresults
Mikey the pc techPosted: 29 September, 2010 - 1:26 PM
Link to comment
well we all knew this was gona happen in the end
its what happens when the ISP is conestly nagged about its users its not the ISPs fault they have tryed to say that in the past and are made to send this data over to these companys this is the outcome everyone predicted would prob happen nice work ACS you have proved companys like your selvs are totaly useless in the task of cracking down on file shearing 
i woudlnt be surprised if they went bust for this breach.
Sharing is CaringPosted: 29 September, 2010 - 2:15 PM
Link to comment
I personally think that the fine should be low, in order to financial facilitate legal proceeding against ACS:Law by those whose personal data was leaked for damages.
On the other hand, it should be high, to reflect the seriousness of this leak. The incompetence and neglect that led to this leak combined with the truly private nature of this data (porn) which will, with certainly, lead to more emotional distress than if simply a list of names and addresses were released. To deter this level of incompetence in other cases, a maximum fine would be perfect.
I'm at a dilemma which would be the best course of action I'd like to see in my mind. So I think, I would like to see them given the maximum fine, and any remaining money used for compensation so that they must file for bankruptcy.
TatePosted: 29 September, 2010 - 5:26 PM
Link to comment
Do I get compensation from ACS law as my details were leaked?
IjustmadethisnameupPosted: 30 September, 2010 - 10:17 AM
Link to comment
Tate, If you haven't already done so you should contact Ralli Solicitors who are looking to organise a class action.
http://www.ralli.co.uk/news/ralli-harassment-group-action-continues
As for Mr Crossley, he's apparently already been disciplined twice by the SRA, perhaps it will 3 strikes and he's out :)
HogsPosted: 30 September, 2010 - 11:25 AM
Link to comment
This all stems from the fact that people in high places literally don't have a clue about how technology works, and consistantly fail to listen to anyone who does; even if they ask for advice, it is always ignored if it's not what they want to hear. Perfect examples include the way every Government IT projects comes in late, over budget and not working, so are scrapped.
MP's still think that the Internet can be policed. This is a perfect example showing that it can't. They try to rush through laws that everyone who knows about technology tell them will not be enforceable but they are ignored.
The complacent attitude of these establishments regarding the data protecion act is now blatantly obvious. They must now surely see that trying to force ISPs to provide customer details is totally pointless. What is inevitable is that laws will be changed for the benefit of them, not end users.
LuckygoHappyPosted: 30 September, 2010 - 11:42 AM
Link to comment
How can a private firm like ACS:Law be mandated to sort this problem? How can the public be sure the fines handed to the supposed filesharers are properly estimated, are we sure that the money collected goes to the copyright holders? etc etc... This really looks like a complete scam typical from the UK. The government should set up a structure for this if they want to fight this. Private companies are just rip-off and uncompetent scams.
MePosted: 3 October, 2010 - 8:54 PM
Link to comment
The ISP's are to blame, for rolling over and handing ACS-Law their customers data, without challenging them in court. That is why Talk Talk weren't targeted, ACS knew they would put up a fight, and probably win.
BertiePosted: 16 December, 2010 - 12:54 PM
Link to comment
How do I find out if my details were leaked by acs law?
Generated in 0.72584 seconds.
DB queries: 8
Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved (Terms, Privacy Policy, Links (.), Live Chat & Website Rules).