Home » 

UK ISP News Archives

 » 
Sponsored Links

UPDATE5 UK ISPs Respond to ACS Law Confidential File Sharing Details Email Leak

Posted: 29th Sep, 2010 By: MarkJ
internet padlockSeveral broadband ISPs, including Sky Broadband , TalkTalk and Timico UK, have now given their reactions to the recent ACS:Law (Andrew Crossley) email leak. The notorious solicitors firm found its dirty email laundry strewn all over the internet at the end of last week after a botched attempt to restore their website (here).

The firm made its living by harassing internet providers and their "suspected" copyright file sharing (p2p) customers, yet failed to properly secure the details. As a result the leak also exposed personal information for thousands of suspected "illegal" UK file sharers, including names, addresses and in some cases even financial details.

ACS:Law's situation is now so bad that they could be facing a fine of up to £500,000 (unlikely to be that high) from the Information Commissioner's Office (ICO) - HERE. Sadly the leak also revealed that many ISPs failed to put up much of a fight in defending their customers against ACS:Law, which used IP "evidence" that they knew to be flawed.

The Executive Director of Strategy and Regulation at TalkTalk UK, Andrew Heaney, said:

"TalkTalk has never given any customer details to ACS:Law or any other law firm working on this basis, so our customers will not be affected by this breach.

It’s a stark reminder of the dangers of giving out customer details to third parties in trying to combat filesharing. While we do not condone illegal filesharing, we have consistently argued for better ways of combating copyright theft. Handing over customer details to law firms to seek ‘compensation’, based on accusations from rightsholders, is not the answer.

Tracking down illegal filesharers is complex and the current approach isn’t working. The first problem is around detection: if you can only see what’s being downloaded at each connection, how do you know which of the several users has actually infringed copyright?

Secondly, we’ve demonstrated before how it’s possible for connections to be hacked by serial filesharers. Again, this can result in false accusations being made against subscribers and is the key reason why we’ve refused to hand over our customers’ details to ACS:Law or any other law firm working in this way."

The Chief Technology Officer for Timico UK, Trefor Davies, said:

"£636,758.22 is apparently the amount of money ACS Law claim to have made out of hounding broadband subscribers for payment for “alleged” Copyright Infringement.

Based on a commission of 30%, £191,027.47 is what the firm would have made out of these unsavoury antics. £500,000.00 is the fine that ACS Law could be hit with for revealing their victims’ details on their website.

It is easy to see why ACS Law wanted to keep going after its victims. Shed no tears. Feel compassion for the many people whose lives have been affected by ACS Law. I wonder whether the firm will survive."

Outside of the potential for a huge fine and massive media flogging, ACS:Law could also now find it hard to gain much, if any, cooperation from ISPs in the future.

A Statement from Sky Broadband said:

"Following recent events, we have suspended all cooperation with ACS:Law with immediate effect. This suspension will remain in place until ACS:Law demonstrates adequate measures to protect the security of personal information.

We continue to be very concerned at the apparent loss of data held by ACS:Law and by the actions of those who have sought to publicise the identities of individual customers. Like other broadband providers, Sky can be required to disclose information about customers whose accounts are alleged to have been used for illegal downloading. We support the principle that copyright material should be protected and we cooperate with court orders requiring disclosure.

Because the security of customer information is also a high priority, we only ever disclose such data in encrypted form. In addition, we have an agreement with ACS:Law that requires data to be stored and used safely and securely."

A PlusNet Statement to The Guardian said:

"Our first concern is with our customers but we have been obliged to respond to court orders requiring that we disclose customer data. However, there is increasing evidence that there are deep concerns regarding the integrity of the process being used by rights holders to obtain customer data from ISPs for pursuing alleged copyright infringements.

We need to have further confidence that the initial information gathered by rights holders is robust and that our customers will not be treated unfairly. We are urgently exploring how this can be assured, including through the assistance of the courts."

ACS:Law's leak also revealed that the firm deliberately avoided targeting two ISPs, TalkTalk and Virgin Media UK, both of which were apparently too much trouble. No customer details for either were found in the leak. However ACS:Law did send letters to several Virgin Media customers in 2009 and it would be wrong to assume that they are both "safe" ISPs.

Sadly we do not anticipate that the government or Ofcom will take any notice of the huge flaws in P2P / IP tracking methods that have been exposed by this leak, and which will also be used by the Digital Economy Act 2010 (DEA). Neither MP's nor Rights Holders appear to understand how the internet works or comprehend the huge holes in the data that they propose to use.

We will add more comments as they come in.

UPDATE 9:06am

More feedback from our inbox.

John Iball, Senior Security Product Manager at Business ISP Star UK, said:

"ACS:Law could face a £500k fine by the ICO following the DDOS attack which saw a list of email addresses of Sky Broadband customers being leaked. The compromised backup file contained around 1,000 confidential emails and attachments between the owner and employees of ACS:Law, detailing private company information. Whilst details of the loss are still emerging, there are lessons to be learnt from this incident.

Perhaps we are so accustomed to email in our business lives, that employees neglect to distinguish between regular business email and highly-confidential personal or company information. However, by having a plan of Policy and Education in place, supported by Technology to enforce protocol, businesses can communicate to staff and customers alike how seriously it regards the security of data, as well as employees’ wellbeing."

UPDATE 1:05pm

Thanks to one of our readers for forwarding a reply they had from UK ISP Demon Internet (THUS Group).

A Demon Spokesperson said:

"We only give out customer details if required to do so by law. Given the recent issues that have arisen with ACS:Law, I doubt they'll be in a position to request any details.

If they are, then we would challenge them on the basis of security of our customer details - but don't forget the only way they would have access to our data would be via a Court Order, and they would have to convince a judge that they have good reason to request access to our customer data.

We would hope that the judge would take the recent issue into consideration before granting the Order."

UPDATE 30th September 2010

Here's a full reply from the Chief Operating Officer (COO) of ISP PlusNet UK, Richard Fletcher.

PlusNet's COO, Richard Fletcher, said:

"Firstly, we would like to apologise again to customers affected by the leak of data from ACS Law. We can confirm that we did send unencrypted data to ACS Law. However, this was not the cause of the leak. At a later date, due to a cyber-attack on the systems of the law firm, data that it held was leaked. We are extremely angry with ACS Law for allowing this to happen.

We would like to re-iterate that we have contacted all the affected customers via email. However, if you haven’t received an email from us and you have previously received a letter from ACS Law in relation to Plusnet, then please raise a ticket via our Help Assistant .

As a result of the incident at ACS Law, Plusnet will be providing all affected customers with an Identity Protection Service, including internet security software, free of charge for the next 12 months. We will contact customers directly regarding this over the coming days.

We are investigating how we came to be sending unencrypted data as we have robust systems for managing data. We have already ensured that this type of incident will not happen again, launched an internal enquiry and we have alerted the Information Commissioner’s Office (ICO). We will work with the ICO to clarify our position.

As we stated yesterday we are no longer co-operating with ACS Law over the provision of information and can confirm that we are reviewing our position in relation to these requests in general. Due to serious concerns about the integrity of the process that is being used by rights holders, we will resist efforts to share more customer details with them and those acting on their behalf until we can be sure that alleged copyright infringements have some basis and customers are treated fairly."

It should be noted that BT owns PlusNet and has taken some of the responsibility for this, despite the court order specifically requesting that the data be sent in a secure "encrypted" form.

UPDATE 4th October 2010

Statement from ISP Be Broadband UK.

BE's Head of Member Services, Louise Kirlew, said:

"Sorry for the delay in replying to this. We are aware of the widely reported data breach related to the ACS website.

When required to do so by law, we do disclose BE members’ data to third parties such as ACS Law. We take sensible precautions when disclosing such data and it is transferred to them using encrypted and password protected files.

As a result of this publicised breach we’ve written to ACS Law to establish precisely what has happened, including what steps they intend to take to remedy the breach and to encourage them to report this matter to the Information Commissioner’s Office. We’ve also written separately to the ICO.

We are following up these inquiries at the moment and will let any affected members know as soon as we have further helpful information."

UPDATE 7th October 2010

Small UK ISP XILO has now said that: "We will defend our customers rights on such claims when they arise as an IP cannot directly identify [the responsible individual]. We've never handed information out to ACS:Law, so we can be 100% certain our customers are safe."
Search ISP News
Search ISP Listings
Search ISP Reviews
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £25.00
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £26.50 - 27.00
150Mbps
Gift: None
Sky Broadband UK ISP Logo
145Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Brsk UK ISP Logo
Brsk £19.00
150Mbps
Gift: None
Gigaclear UK ISP Logo
Gigaclear £19.00
300Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £22.99
150Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (5916)
  2. BT (3618)
  3. Politics (2679)
  4. Business (2395)
  5. Openreach (2387)
  6. Building Digital UK (2312)
  7. Mobile Broadband (2099)
  8. FTTC (2074)
  9. Statistics (1871)
  10. 4G (1771)
  11. Virgin Media (1724)
  12. Ofcom Regulation (1554)
  13. Fibre Optic (1455)
  14. Wireless Internet (1445)
  15. FTTH (1384)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules