Law Firm Faces Hefty Fine Over Porn Breach

The Information Commissioner’s Office (ICO) has confirmed a major data breach at a UK law firm, that could see it hit with a maximum penalty of £500,000.

The website of ACS:Law was still unavailable on Tuesday afternoon of 28 September, after it was revealed that on Friday that the unencrypted details of thousands of broadband users, who reportedly signed up to BSkyB services and were thought to be illegally sharing pornography, had been leaked on the ACS:Law website.

It is alleged that ACS:Law exposed its email archive on its website, thereby disclosing confidential information.

ACS:Law is the law firm that has been tracking Internet users and achieved notoriety for its letter-writing campaigns to individuals suspected of illegal file-sharing. This included a 78 year-old man, who was accused of downloading pornography.

PI Lawsuit

On Monday privacy campaign group Privacy International said it was planning legal action against the UK law firm for the breach.

According to Privacy International, the stolen file is a single email containing the personal information of approximately 10,000 people assumed to have been involved in file-sharing of pornographic works. Details are said to include their names, addresses, postcodes, and Internet protocol addresses. “Other reports indicate that credit card details have also been made available.”

“This data breach is likely to result in significant harm to tens of thousands of people in the form of fraud, identity theft and severe emotional distress,” said PI advisor Alexander Hanff. “This firm collected this information by spying on Internet users, and now it has placed thousands of innocent people at risk.”

ICO Investigates

And now the ICO has said that it takes any breach of the Data Protection Act “very seriously”.

“The ICO takes all breaches of the Data Protection Act very seriously,” it said in an emailed statement to eWEEK Europe UK.

“Any organisation processing personal data must ensure that it is kept safe and secure. This is an important principle of the Act. The ICO will be contacting ACS:Law to establish further facts of the case and to identify what action, if any, needs to be taken,” it added.

And others have been quick to add their thoughts on the matter.

Attack Is No Defense

“It’s shocking that ACS:Law are prepared to use the Digital Economy Act for their processes in future,” said Jim Killock, Executive Director of the Open Rights Group. “And there is little to stop them. They could self-certify their evidence collecting process and send the data to ISPs. The question is if Ofcom will let us see these methods or will they allow calls of “commercial confidentiality” to keep parts of the processes closed from view?”

“What’s interesting about this particular investigation into data protection breaches is that the Information Commissioner has made it clear that, even where a data breach is a result of a malicious cyber attack, this is not an adequate defence and serves as no excuse,” said Andrew Wyatt of software security firm Clearswift.

“This data belongs to the account holders themselves and is held by BSkyB – it will be interesting to see how this data arrived at ACS in the first place,” said Tony Dyhouse – the cyber security director of the Digital Systems Knowledge Transfer Network (the government’s independent adviser on integrated digital technologies). “The fact that the information was not encrypted or sufficiently protected then only exacerbated the problem.”

So far however, the ICO has yet to issue a major financial penalty for a data breach.