This article is also available in:
Deutsch: Webseite einer britischen Anwaltskanzlei enthüllt private Daten

On 24 September 2010, the website of the UK Law Firm ACS:Law suffered a massive breach of security apparently under a Denial of Service attack initiated by a group entitled Anonymous within the Operation Payback, which led to the exposure of what seemed to be part of the internal email database of the website.

Although the ISP hosting ACS:Law's website suspended the account right after the attack, the site became active again, without any apparent reason, pointing to the root directory of the web and revealing a folder containing an archived backup of the company's mailboxes. The content of the folder was downloaded and posted on Pirate Bay.

ACS:Law has been well known lately for the threatening letters sent to alleged file sharers suspected of breaching copyright asking them to pay money in order to avoid going to court. The company was already referred by privacy groups to the Solicitors Disciplinary Group for "bullying and excessive conduct" at the beginning of September 2010.

The data exposed by the attack appear to include among other things, an excel file attached to an e-mail sent by Andrew Crossly, head of ACS:Law, to his colleagues, including the names and addresses of apparently more than 10 000 broadband subscribers with the names of the movies allegedly downloaded by them in breach of copyright.

As a result of the event, Privacy International (PI) has announced that it was blaming ACS:Law for the indicent and that it was planning to bring a legal action against the company for breaching the privacy of internet users. PI has also notified the UK Data protection authority - Information Commissioner's Office (ICO) on the matter.

"... there is no evidence to suggest that the web server was compromised; it would seem that this data breach was purely down to poor server administration and a lack of suitable data protection and security technologies. there is no evidence to suggest that the web server was compromised; it would seem that this data breach was purely down to poor server administration and a lack of suitable data protection and security technologies," says PI in a press release issued on 27 September.

Information Commissioner Christopher Graham took the matter seriously and told the BBC that he would investigate the matter which might be a chance for him to use the extra powers he has been recently granted. ACS:Law might face a very significant fine.

"The Information Commissioner has significant power to take action and I can levy fine of up to half a million pounds on companies that flout the Data Protection Act," said the Commissioner.

The ICO will investigate on the security of the information stored by ACS:Law and on how easy it was to access it. "We'll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing," said the Commissioner.

ACS:Law Email Database Leaked onto The Pirate Bay (24.09.2010)
http://www.slyck.com/story2058_ACSLaw_Email_Database_Leaked_onto_The_P...

Law firm could face first £500,000 data leak fine (29.09.2010)
http://www.out-law.com//default.aspx?page=11404

Privacy International Plans Legal Action Against ACS:Law (27.09.2010)
http://www.slyck.com/news.php?story=2061

PI aims to pursue UK law firm for data breach (27.09.2010)
http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-5...

EDRi-gram: UK: Harassing innocent users for copyright infringement (8.09.2010)
http://www.edri.org/edrigram/number8.17/acs-law-harassing-copyright-in...