The legal firm ACS:Law was hit by a DDoS (distributed denial-of-service) attack that led to a list of email addresses of Sky Broadband customers being leaked.
According to media reports, ACS:Law was able to get its website back online but an encrypted backup file was found and distributed over the internet. The file contained around 1,000 confidential emails, which was uploaded to file sharing website The Pirate Bay, where it is being shared by hundreds of users.
One unencrypted document lists the personal details of more than 5,300 BSkyB Broadband subscribers, alongside a list of adult videos they may have downloaded and shared online.
ACS:Law has made a business out of sending thousands of letters to alleged net pirates, asking them to pay compensation of about £500 per infringement or face court. BBC News reported that the documents appeared online after users of the message-board 4chan attacked ACS's site in retaliation for its anti-piracy efforts.
A spokesperson for Sky told BBC News that they were ‘very concerned at the apparent security breach involving data held by ACS:Law'.
A spokesperson said: “At this stage of our investigation, we believe that the data included the names and addresses of around 4,000 Sky Broadband customers. Like other broadband providers, Sky can be required by Court Order to disclose information about customers whose accounts are alleged to have been used for illegal downloading. We only ever provide such data in encrypted form.”
The Information Commissioner's Office (ICO) said that ACS:Law had a number of questions to answer. Commissioner Christopher Graham told BBC News that the question it will be asking is how secure was this information and how it was so easily accessed from outside.
He said: “We'll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing. The Information Commissioner has significant power to take action and I can levy fines of up to half a million pounds on companies that flout the data protection act.”
Jim Killock, executive director of the Open Rights Group, who campaigned against the Digital Economy Act that threatened to cut off persistent file sharers, said: “Unwarranted private surveillance, plus incompetence, have led to a huge leak of sensitive personal data from ACS:Law. Information about individual alleged infringers appears to have been contained within the emails leaked at the weekend.”
He said that while reports have concentrated on the attack by 4chan users that brought their web server down, the more important questions are: why did ACS:Law host email files and sensitive information in a place that could easily be exposed to the public; and is it legal and permissible to collect and process such information from torrents without permission or knowledge?
He said: “As we have reported, the EU data protection authorities think the answer is probably ‘no'. Now the world can see why. At the end of the day, there is only one organisation to blame in this leak: which is ACS:Law, who have clearly treated people's data with far less care than they should have done. As a controversial company, there was every chance their servers might be attacked, but absolutely no reason why their web server should also be hosting email data from within their web space.”
Tony Dyhouse, cyber security director of the Digital Systems Knowledge Transfer Network, said: “This data belongs to the account holders themselves and is held by BSkyB – it will be interesting to see how this data arrived at ACS in the first place. The fact that the information was not encrypted or sufficiently protected then only exacerbated the problem.”
He also said that it was encouraging to see the ICO bearing its teeth, but the sheer volume of these data breaches proves that we now need a larger army of regulators in this country to protect our data.