The names of thousands for BT & Sky broadband customers who had allegedly illegally downloaded adult material have been leaked on-line. The lists appear to have been obtained from servers of a law firm ACS:Law by the notorious 4chan group.
ACS:Law had obtained the lists from ISPs Sky and PlusNet (owned by BT) and had been using the information to send out letters to the alleged copyright infringers demanding money. Many of those accused have denied downloading any adult material.
Both PlusNet & Sky had been forced to hand over the information by a court order and sent the data by email. It now transpires that BT failed to encrypt the data files during transmission. However, it is believed that data was stolen by 4chan members after they accessed ACS:Law’s server and then posted on-line at the Pirate Bay.
In addition to the lists of users, confidential messages regarding the cases, money made and personal correspondence were also posted. Reports vary in the total number named as the leaks keep coming but it appears to be over 13,000 people so far.
The UK’s Information Commissioner is now investigating ACS:Law for possible breaches of the Data Protection Act. If found guilty, the Commissioner can fine organisations up to £500,000 ($750,000). Christopher Graham said, “The question we will be asking is how secure was this information and how it was so easily accessed from outside. We’ll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing.”
ACS:Law was already under investigation by the Solicitors Regulation Authority for its role and tactics when sending out the letters to the alleged filesharers. PlusNet has an FAQ explaining its role in the debacle.
This story has been running for a couple of days, but it just gets worse and worse.