Posted: 27th Sep, 2010 By: MarkJ
Controversial solicitors firm
ACS:Law UK (Andrew Crossley), which last week had all of its dirty email communication laundry leaked across the internet (
here), is now facing more problems after
Privacy International (PI) announced that it would take
legal action against the firms
breach of sensitive personal details.
The emails were reportedly revealed on the evening of Friday 24th September 2010, as part of an
unencrypted backup file, after ACS:Law allegedly attempted to restore their website following an extensive
Distributed Denial-of-Service (DDoS) attack last week. This exposed an archive of messages containing confidential information that spanned almost three months across several accounts.
The law firms communications, which had been involved with tracking UK internet users to pursue legal action for breaches of copyright (piracy), included information for thousands of broadband ISP customers. Some reports claim that the
details of 10,000 people have been exposed, including their names, addresses, postcodes, Internet Protocol ( IP ) addresses, what files they allegedly shared over P2P and in some cases even credit card details.
According to Alexander Hanff, PI Advisor:
"This data breach is likely to result in significant harm to tens of thousands of people in the form of fraud, identity theft and severe emotional distress. This firm collected this information by spying on internet users, and now it has placed thousands of innocent people at risk."
Privacy International, a human rights group formed in 1990 as a watchdog on surveillance and privacy invasions by governments and corporations, has briefed the
Information Commissioner's Office (ICO) and is preparing a complaint. Anybody whom has become a victim of this breach is being urged to contact
alex@privacy.org.
PI claims that there is no evidence to suggest that the web server of ACS:Law itself was compromised by hackers (DDoS is an attack designed to take down a website, not a hack). It would seem that this data breach was purely down to poor server administration and a lack of suitable data protection and security technologies.
The Data Protection Act law requires that:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
The group has also urged ACS:Law to contact each and every person who is mentioned throughout the email archive and disclose the breach to them so they might take appropriate steps to secure their bank accounts and credit cards. This notification is essential so that individuals can also determine whether or not they wish to take legal action against the firm.
UPDATE 28th September 2010We have updated covering in our original article too.
Private UK Illegal ISP File Sharing Details Leak from ACS Law After DDoS AttackUPDATE 29th September 2010A spokesperson for the Information Commissioner’s Office (ICO) said:
"The ICO takes all breaches of the Data Protection Act very seriously. Any organisation processing personal data must ensure that it is kept safe and secure. This is an important principle of the Act. The ICO will be contacting ACS:Law to establish further facts of the case and to identify what action, if any, needs to be taken."