Skip Navigation

Personal information leaked from law firm
Monday 27 September 2010 11:08:57 by Andrew Ferguson

Last week saw tit for tat DDoS (Distributed Denial of Service) attacks launched against two law firms (attacks like this are illegal in the UK) seemingly in response to attacks on a number of torrent sites. A ramification of these attacks was that when ACS:Law restored its website, for a short time a number of files that should have not been publicly available were available to those who looked slightly harder than usual.

Of course these files have now made their way onto various torrent sites and other locations around the Internet. What is of concern is that the files obtained contain swathes of personal information such as spreadsheets revealing customer details from broadband providers in response to court orders, and the response from individuals to ACS:Law. Plusnet has responded to this leak of information by flagging any accounts that were disclosed to ACS:Law, with an email being sent to users in addition to a ticket being added to the account. Plusnet is not the only other ISP involved, some Sky customers details have also been leaked. The stance of TalkTalk and Virgin Media public position of challenging content of the court orders appears to have meant that ACS:Law has not pursued potential infringers on their networks.

While learning the address of anyone in the UK is not difficult, if this can be tied to potential infringement of copyright, it leaves people open to carefully targeted spam or maybe even blackmail. Of the biggest concern is the suggestion that credit card details may also have been leaked, after being stored as plain text. The emails indicate that guest houses are doing things like changing how their guest wi-fi works, partners of forces personnel overseas are having to deal with letters, and interestingly some people are willing to pay but only in instalments.

ACS:Law has already been referred to a disciplinary tribunal by the Solicitors Regulatory Authority. It is just possible that this leak may result in further questions and maybe action, questions for example of why was greater care not taken of personal information. The most interesting aspect is that this security breach reveals a lot about how ACS:Law handle cases, which is not likely to endear them to the public, broadband industry and even the industries it is alleging to protect from copyright infringement.

This incident reveals that no matter how careful you are with your own personal information, third parties may not always take the same level of care. Therefore if you have reason to believe your details may have been leaked e.g. previously had had a letter from ACS:Law, then be on your guard for perhaps even more spam email, unsolicited phone calls or post. Whilst most spam is easy to spot, with the level of personal detail revealed carefully crafted spam that could appear real may well appear. The rules of spam email is to never ever open any attachment (no matter how good your anti-virus software), and never reply to the email.

The copyright infringement part of the Digital Economy Act (DEA) 2010 is meant to level the field somewhat, and the letter writing component will require broadband providers to pass on warning letters. It is possible that the Act will bring an end to activities such as those run by ACS:Law, but this is far from certain. What this latest incident will do though is sharpen the focus on how the data generated by the Copyright Infringement Notice process is obtained and protected.


Posted by cyberdoyle over 7 years ago
you can't pass laws to sort out the ambulance chasers, and the badly thought out deact will only give them more power. They are a bigger blight on the face of the earth than any pirate.
Posted by jelv over 7 years ago
Advice: If you have paid ACS Law any money in such a way that they have your bank account details (or there is any other reason why they may have your bank details)

Posted by Legolash2o over 7 years ago
I've checked these emails, they are very bad. There is an attattchment with 5000+ Sky broadband users IP addresses, actual address, etc.. There are emails saying they are purposely scaring people into paying.

Very very bad...
Posted by jelv over 7 years ago
Now ACS Law are facing legal action themselves:

(Link is to Privacy International - URL contains some dodgy characters)
Posted by alan-borers over 7 years ago
I hope that ACS Law are savaged by other legal sharks, and that there will be a self destructive feeding frenzy of Legal piranha

Posted by Legolash2o over 7 years ago
There is a document in an email stating...

Total Letters sent: 20,323
Money recovered: £936,570.72
The amount of money to each firm totalling: £341,078.92

That's alot of profit....
Posted by Legolash2o over 7 years ago
OK, people really need to ring up their banks and cancel their credit card if they have dealt with ACS:Law. Yes, i'm being serious!
Posted by whatever2 over 7 years ago
hope they get dragged over the coals for this... no excuses considering the flippant responses they have made about the attacks in the press.
Posted by jelv over 7 years ago

ACS tried to use ignorance as a defence when fined by Westminster Council. Funny how they wouldn't accept the same argument from the victims they blackmailed!

Very amusing reading!
Posted by Legolash2o over 7 years ago
haha Jelv, ironic and i just love karma :D
Posted by GMAN99 over 7 years ago
So the people this law firm are chasing to fine could end up suing the law firm for negligence? Priceless....
Posted by arcturus over 7 years ago
Is nobody else wondering what on earth ACS were doing storing this kind of information on their public webserver? It should have been on their 'internal access' only systems. They should be hauled over the coals for this one. And their head of IT sacked immediately.
Posted by MrTAToad2 over 7 years ago
Will be interesting to see if I'm there, and what they thought of my refusal to pay...
Posted by MrTAToad2 over 7 years ago
Apparently I'm not - the folder for the email address I sent one of my replies to was empty, and no mention of my name.
Posted by GMAN99 over 7 years ago

Totally, storing this on the dirty net facing side of your set-up is very very bad practice.
Posted by jelv over 7 years ago
"Plusnet has responded to this leak of information by flagging any accounts that were disclosed to ACS:Law, with an email being sent to users in addition to a ticket being added to the account."

Having promised on the Community forums they would notify all users they have gone silent - no emails have been sent.
Posted by Legolash2o over 7 years ago
I hope they get shut down, this may become a problem when the DEA fully kicks in.

Deleted the emails now so can't view them anymore lol.
Posted by Oldjim over 7 years ago
Announced on the forum at 21.14 and confirmed all emails sent at 21.51 both statements by the Chief Operating Officer
Posted by Legolash2o over 7 years ago
Has this been covered by TV yet?
Posted by tommy45 over 7 years ago
They have been running nothing short of an extortion racket,protected by a legal loophole allowing them to operate the way in which they have so far, the amount they try to extort from most people is exactly the same set amount £495.00, regardless of the content,when really it was crosley who set the amount not the so called client
Posted by ACS_Law_Truth over 7 years ago is planning on taking Crossley to court for gross negligance of Data Protection. It wants to hear from everyone to build its case so check it out.

You can find mirrors of the emails and info here:

There's no way Crossley can stop this despite thinking he can stop the internet.
Posted by davolente over 7 years ago
What comes around..........
Posted by Legolash2o over 7 years ago
Just to let you know 2 more databases have been found in the emails

One with 8000+ names (SkyB) and one with 400 names (PlusNet) both of which have which shows music albums instead of porn.
Posted by Legolash2o over 7 years ago
Its finally on BBC News, watching it now.
Posted by Legolash2o over 7 years ago
Just had an email with BBC News, Andrew Crossley have confirmed the email about scaring people into paying :D
Posted by MrTAToad2 over 7 years ago
The file I downloaded contained a lot of empty directories - so I'm not sure it had everything that was available...
Posted by Legolash2o over 7 years ago
Yeah there is a lot of empty directories but all the emails are in the "cur" folders.
Posted by GMAN99 over 7 years ago
Their website is down again :) how did this muppet firm get away with this for so long and how did they manage get hold of customer details from the ISP's? It sounds to me like they were requested on behalf of <insert IP owner here> and they were given up when the IP owner may never have said anything in the first place, this £495 sum for each breach just doesn't stack up. I hope he gets fined the 500k talked about in the press for the data breach and then investigated and sent to jail for his illicit dealings
Posted by Pod over 7 years ago
It is not surprising that Andrew Crossley has, yet again, been referred to the SRA for a disciplinary hearing. Hea has been found guilty twice by the SRA of 'conduct unbefitting a solicitor'.
Posted by pigfister over 7 years ago
Nate Anderson, who assembles the huge corpus of emails into a coherent narrative explaining how ACS operates, with emphasis on the unethical behavior that made it the most hated law firm in the UK. If you only read one story about "anti-piracy" operations, read this one.
Posted by CARPETBURN over 7 years ago
@GMAN99... OMG i dont think ive ever agreed with you so much (checks outside that the sky isnt falling ;) ). That last post of yours... VERY well said.
Posted by heather1 over 7 years ago
What's the problem? Surely this is just a different form of 'file sharing' (by ACS), which a sizable proportion of contributors usually seem to favour!
"You can't have it both ways" springs to mind.
You must be logged in to post comments. Click here to login.