The notorious solicitors firm ACS:Law (Andrew Crossley), which makes its living by harassing UK broadband ISPs and their "suspected" copyright file sharing (p2p) customers, has been hit by a serious Distributed Denial-of-Service (DDoS) attack that left masses of confidential email communications exposed to the public.

It's understood that the website was the subject of a persistent attack by the 'Anonymous' (4chan) activist group. The assault itself, which began earlier last week, was a coordinated action against multiple sites belonging to everybody from the Recording Industry Association of America (RIAA) to another controversial law firm, Davenport Lyons.

The DDoS assaults, which overload web servers with data and can thus cause them to become unusable, came in retaliation after it was revealed that the Motion Picture Association of America (MPAA) had hired an Indian software firm - Aiplex Software - to conduct similar attacks against P2P file sharing websites (e.g. The Pirate Bay).

ACS:Law, much like the other organisations involved, was eventually able to restore its website but inadvertently left an unencrypted backup file for visitors to download. As you might expect it promptly found its way onto BitTorrent via The Pirate Bay (p2p tracker) website.

Hundreds, possibly even thousands, of confidential personal details and once private email communications for ACS:Law have been exposed. As supporters of personal privacy we have chosen not to link or directly quote any of the related communications, although much of the content has already found its way onto websites around the internet and it's not hard to find.

However the communications reveal many disturbing facts and also appear to confirm that ACS:Law has preferred NOT TO TARGET two specific ISPs with demands for personal details, TalkTalk and Virgin Media UK. Both appear to be more trouble than they're worth for the law firm, which is after all centred on making money; that is also very much clear from the emails.

Furthermore the information also calls into question ACS:Law's P2P IP data collection methods, which are used to gain related "evidence" against suspected acts of internet copyright piracy.


However the leaked communications reveal that many cases were dropped after ACS:Law accepted that the individuals they had targeted were probably innocent. In other cases the monitoring data, which had been collected by IP monitoring company NG3Sys, was deemed to have too many inconsistencies.

Apparently ACS:Law has sent out over 11,000 letters (past two years) to those they suspect of unlawful copyright file sharing, with more than 3,400 recipients choosing to dispute the claim and over 4,500 simply not bothering to respond. This suggests that approximately one third would have chosen to settle their claim and pay out hundreds of pounds to avoid the courts; not that any of the cases ever actually make it that far.

At the end of August 2010 the UK Solicitors Regulatory Authority (SRA) chose to officially refer ACS:Law to a Disciplinary Tribunal over its practice of sending "bullying" letters to those accused of having abused their broadband ISP connection for "illegal" copyright file sharing (p2p) activity (original news). Here's a bit more fuel for that fire.

It should be noted that launching a DDoS attack is illegal in the UK, punishable by up to ten years in prison, and many other countries have similar rules.

UPDATE 10:28am

Some of the emails are also reported to contain sensitive financial details, such as credit card numbers.

UPDATE 11:26am

Now Privacy International (PI) are planning to take action over the breach of personal information - HERE.

Elsewhere, this particular quote from the ACS:Law emails could be taken as a useful piece of evidence to go after the firm on a criminal charge of attempting to obtain money by menacing. Some have claimed that, if charges are filed, it is the equivalent of US racketeering and extortion laws:


The SRA should take note.

UPDATE 2:08pm

The Open Right Group (ORG) has said that, as a result of the leak, the BPI (UK music trade body) should admit that their evidence is merely "circumstantial".


It's old news that IP data is unreliable, which is one of the reasons why so few actual legal claims have even made it to court in the UK. The BPI have never appeared to acknowledge this and as a result we do not expect them to respond.

UPDATE 28th September 2010

The latest information suggests that the email leak has exposed a list of more than 8,000 Sky Broadband and 400 PlusNet ISP subscribers. PlusNet has informed affected customers. The leak has also revealed plans by ACS:Law to abuse the Digital Economy Act 2010 (DEA) in order to make more money from file sharing suspects.


In one of the leaked emails an ACS:Law lawyer is quoted as saying: "I have made sure that the requirements satisfy the requirements set out in OFCOM’s draft code of conduct," a veiled reference to the DEA.

UPDATE 29th September 2010

Which? response to ACS Law's security breach.



We are also covering ISP feedback in a separate article HERE.