Privacy International has said that it is planning legal action against ACS:Law over a breach that led to a list of email addresses of Sky Broadband customers being leaked.
As detailed earlier today, legal firm ACS:Law was hit by a DDoS attack that led to a file containing around 1,000 confidential emails being exposed. Privacy International claimed that while the full extent of this breach is not yet known, it could result in tens of thousands of people suffering from fraud, identity theft and severe emotional distress.
Privacy International said that it has ‘briefed the Information Commissioner's Office and is preparing a complaint'. Its advisor Alexander Hanff said: “This firm collected this information by spying on internet users, and now it has placed thousands of innocent people at risk.”
The organisation urged ACS:Law to contact each and every person who is mentioned throughout the email archive and disclose the breach to them, so they might take appropriate steps to secure their bank accounts and credit cards.
It said that ‘this notification is essential so that individuals can also determine whether or not they wish to take legal action against the firm'.
Commenting, Amichai Shulman, CTO of Imperva, claimed that it had seen instances where a DDoS was used on a victim and later found that the attackers were using the DDoS as a diversion to steal data.
He said: “However, I don't think this was the case here. Hackers had one point in mind - to cripple the services of the law firm, to disrupt business services and cause humiliation. Since ACS:Law's site was corrupted they've reconstructed it from a backup location which also included archive files with sensitive information.
“In the reconstruction process (which was probably done in haste) the archives with the sensitive data were copied to publicly accessible locations in the reconstructed website. Attackers immediately took advantage of that and downloaded them. They are now going through the stuff in those archives and are making public the ‘interesting' data that they find. The more time they have to review the files the more public stuff we should expect to find.”
Shulman said that the moral of this story is not about web security, but rather about sensitive data stored in an unstructured format. While organisations are keeping themselves busy with protecting data in its structured format, within databases or as it flows out of web applications a new threat is quickly becoming apparent – the dissemination of sensitive data from structured repository into unstructured formats (e.g. MS Office files, text documents, etc.).
“In its unstructured format the sensitive information is flowing around the organisation almost unmonitored and uncontrolled. It is time for organisations to get ready to fight this new battleground of keeping close track of unstructured information repositories and controlling their flow around and outside their organisation,” he said.
Richard Walters, CTO of Overtis said that organisations holding large amounts of personally identifiable data must automatically isolate and encrypt any databases, and classifying file types and applying rules will prevent them from being sent unencrypted via email or webmail.
He said: “This sensitive data should have been encrypted and never associated with any form of external web application. Technology is available to prevent this from happening no matter how poorly configured systems are, or how badly coded their web facing applications are.
“By preventing users from executing certain commands, as well as controlling users' access to every button, link, menu option or keystroke combination, even malicious attempts to steal data can be thwarted. User-centric security offers formidable protection against any suspicious or malicious activity, as well as unintentional data handling errors and provides a safety net if network-based security controls fail.”