Last week saw tit for tat DDoS (Distributed Denial of Service) attacks launched against two law firms (attacks like this are illegal in the UK) seemingly in response to attacks on a number of torrent sites. A ramification of these attacks was that when ACS:Law restored its website, for a short time a number of files that should have not been publicly available were available to those who looked slightly harder than usual.
Of course these files have now made their way onto various torrent sites and other locations around the Internet. What is of concern is that the files obtained contain swathes of personal information such as spreadsheets revealing customer details from broadband providers in response to court orders, and the response from individuals to ACS:Law. Plusnet has responded to this leak of information by flagging any accounts that were disclosed to ACS:Law, with an email being sent to users in addition to a ticket being added to the account. Plusnet is not the only other ISP involved, some Sky customers details have also been leaked. The stance of TalkTalk and Virgin Media public position of challenging content of the court orders appears to have meant that ACS:Law has not pursued potential infringers on their networks.
While learning the address of anyone in the UK is not difficult, if this can be tied to potential infringement of copyright, it leaves people open to carefully targeted spam or maybe even blackmail. Of the biggest concern is the suggestion that credit card details may also have been leaked, after being stored as plain text. The emails indicate that guest houses are doing things like changing how their guest wi-fi works, partners of forces personnel overseas are having to deal with letters, and interestingly some people are willing to pay but only in instalments.
ACS:Law has already been referred to a disciplinary tribunal by the Solicitors Regulatory Authority. It is just possible that this leak may result in further questions and maybe action, questions for example of why was greater care not taken of personal information. The most interesting aspect is that this security breach reveals a lot about how ACS:Law handle cases, which is not likely to endear them to the public, broadband industry and even the industries it is alleging to protect from copyright infringement.
This incident reveals that no matter how careful you are with your own personal information, third parties may not always take the same level of care. Therefore if you have reason to believe your details may have been leaked e.g. previously had had a letter from ACS:Law, then be on your guard for perhaps even more spam email, unsolicited phone calls or post. Whilst most spam is easy to spot, with the level of personal detail revealed carefully crafted spam that could appear real may well appear. The rules of spam email is to never ever open any attachment (no matter how good your anti-virus software), and never reply to the email.
The copyright infringement part of the Digital Economy Act (DEA) 2010 is meant to level the field somewhat, and the letter writing component will require broadband providers to pass on warning letters. It is possible that the Act will bring an end to activities such as those run by ACS:Law, but this is far from certain. What this latest incident will do though is sharpen the focus on how the data generated by the Copyright Infringement Notice process is obtained and protected.