ICO to investigate ACS:Law data breach

Cartoon man looking through magnifying glass

The Information Commissioner's Office (ICO) will be contacting ACS:Law over the data breach, which reportedly exposed the details of thousands of internet users.

The data was stored by the law firm to track P2P users sharing copyrighted pornographic films, possibly illegally.

A data leak is believed to have occurred after members of 4chan, an image board website where activists recently organised attacks on film industry bodies, launched a distributed denial of service (DDoS) attack against ACS:Law's site.

"The ICO will be contacting ACS:Law to establish further facts of the case and to identify what action, if any, needs to be taken," a spokesperson for the ICO said.

Earlier this year, reports suggested that ACS:Law had contacted a number of web users suggesting they had been involved in illegal file sharing, giving them the chance to settle out of court for their alleged crimes for 500.

Many protested their innocence and Which? Computing was approached by over 150 people who had been contacted by the law firm.

Reaction

Some organisations have pointed the finger at ACS:Law, which was unable to give an official response about the breach at the time of publication. The company's website is also still down.

Jim Killock, executive director at the Open Rights Group, told IT PRO ACS:Law should never have had the data in the first place.

"The hackers weren't trying to expose email traffic, of course. While we may think bringing down a website is irresponsible, ACS:Law placed sensitive data in a place which it never should have stored [it], which is simply negligent," Killock said.

"The ICO should make an example of ACS:Law, but the ICO should also ask whether the EU's data protection supremo Peter Hustinx is right to question the entire legality of this private surveillance."

Hustinx, European data protection supervisor, recently queried the legality of the Anti-Counterfeiting Trade Agreement (ACTA) under EU privacy laws. ACTA, which is currently under negotiation by bodies from across the world, including the European Union, will look to produce common standards and practices for enforcement of intellectual property rights.

Privacy International, meanwhile, has claimed ACS:Law breached the Data Protection Act by allowing an archive containing sensitive data to be stored on a public facing web server.

The group encouraged ACS:Law to contact all those mentioned in the archive and disclose the breach to them so they can take steps to secure bank accounts and credit cards.

"This data breach is likely to result in significant harm to tens of thousands of people in the form of fraud, identity theft and severe emotional distress," said Alexander Hanff, a Privacy International advisor.

"This firm collected this information by spying on internet users, and now it has placed thousands of innocent people at risk."

The Pirate Party UK was critical of both the hackers, who went by the name of Anonymous, and ACS:Law.

It condemned the "malicious attacks" carried out by Anonymous on the firm's IT infrastructure.

"Similarly, the Party strongly opposes the mass publication of personal information and private communication, whether by internet-based groups or the firm itself," an official statement read.

"The Pirate Party UK encourages those who attacked ACS Law to find less drastic ways to make their displeasure felt in the future."

The group also warned ACS:Law and other firms storing data on people they believe to be involved in copyright infringement to consider the enmity such action inspires.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.