Private data exposed on UK Law firm website

This article is also available in:
Deutsch: [Webseite einer britischen Anwaltskanzlei enthüllt private Daten | http://www.unwatched.org/node/2248]

On 24 September 2010, the website of the UK Law Firm ACS:Law suffered a
massive breach of security apparently under a Denial of Service attack
initiated by a group entitled Anonymous within the Operation Payback, which
led to the exposure of what seemed to be part of the internal email database
of the website.

Although the ISP hosting ACS:Law’s website suspended the account right after
the attack, the site became active again, without any apparent reason,
pointing to the root directory of the web and revealing a folder containing
an archived backup of the company’s mailboxes. The content of the folder was
downloaded and posted on Pirate Bay.

ACS:Law has been well known lately for the threatening letters sent to
alleged file sharers suspected of breaching copyright asking them to pay
money in order to avoid going to court. The company was already referred by
privacy groups to the Solicitors Disciplinary Group for “bullying and
excessive conduct” at the beginning of September 2010.

The data exposed by the attack appear to include among other things, an
excel file attached to an e-mail sent by Andrew Crossly, head of ACS:Law, to
his colleagues, including the names and addresses of apparently more than
10 000 broadband subscribers with the names of the movies allegedly
downloaded by them in breach of copyright.

As a result of the event, Privacy International (PI) has announced that it
was blaming ACS:Law for the indicent and that it was planning to bring a
legal action against the company for breaching the privacy of internet
users. PI has also notified the UK Data protection authority – Information
Commissioner’s Office (ICO) on the matter.

“… there is no evidence to suggest that the web server was compromised; it
would seem that this data breach was purely down to poor server
administration and a lack of suitable data protection and security
technologies. there is no evidence to suggest that the web server was
compromised; it would seem that this data breach was purely down to poor
server administration and a lack of suitable data protection and security
technologies,” says PI in a press release issued on 27 September.

Information Commissioner Christopher Graham took the matter seriously and
told the BBC that he would investigate the matter which might be a chance
for him to use the extra powers he has been recently granted. ACS:Law might
face a very significant fine.

“The Information Commissioner has significant power to take action and I can
levy fine of up to half a million pounds on companies that flout the Data
Protection Act,” said the Commissioner.

The ICO will investigate on the security of the information stored by
ACS:Law and on how easy it was to access it. “We’ll be asking about the
adequacy of encryption, the firewall, the training of staff and why that
information was so public facing,” said the Commissioner.

ACS:Law Email Database Leaked onto The Pirate Bay (24.09.2010)
http://www.slyck.com/story2058_ACSLaw_Email_Database_Leaked_onto_The_Pirate_Bay

Law firm could face first £500,000 data leak fine (29.09.2010)
http://www.out-law.com//default.aspx?page=11404

Privacy International Plans Legal Action Against ACS:Law (27.09.2010)
http://www.slyck.com/news.php?story=2061

PI aims to pursue UK law firm for data breach (27.09.2010)
http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-566663

EDRi-gram: UK: Harassing innocent users for copyright infringement (8.09.2010)
http://www.edri.org/edrigram/number8.17/acs-law-harassing-copyright-infringement