2010-09-30

BBC News - BT embroiled in ACS:Law porn list breach

29 September 2010 Last updated at 08:53 ET

Share this page

BT embroiled in ACS:Law porn list breach

By Daniel Emery Technology reporter, BBC News
PlusNet Excel doc The spreadsheet of PlusNet users was sent in an unsecure format by a BT lawyer

BT has admitted it sent the personal details of more than 500 customers as an unsecured document to legal firm ACS:Law, following a court order.

The news could put BT in breach of the Data Protection Act, which requires firms to keep customers' data secure at all times.

The e-mails emerged following a security lapse at ACS:Law.

A BT official admitted "unencrypted" personal data was sent, adding it "would not happen again".

The unsecured Excel documents were sent in late August by Prakash Mistry, a lawyer working for British Telecom, to Andrew Crossley - who runs ACS:Law.

"In accordance with the Court's Order of 17 February 2010 ("the Order"), please find enclosed the data in accordance with paragraph 1 of the Order," wrote Mr Mistry in the e-mail.

"Please acknowledge safe receipt and that the data will be held securely and shall be used only in accordance with the provisions of the Order," he added.

Keep it safe

However, while BT requested that the personal information be held securely, the data was sent in a unencrypted document that could be read by anyone accessing the e-mail.

Two separate documents were sent out by BT. One with a list of 413 users which ACS:Law thought were sharing a music track called Evacuate The Dancefloor and a second document with more than 130 PlusNet users alleged to be sharing pornographic material.

"In answer to the question above about whether we sent out customer details in unencrypted files, I can confirm that this did happen," wrote a BT community moderator called Nigel on the firm's PlusNet forums.

"We are investigating how this occurred as we have robust systems for managing data.

"We have already ensured that this will not happen again.

"In this circumstance our legal department sent data to a firm of solicitors (ACS:Law) which reached them safely and we trusted that they would keep the data safe," he added.

A spokesperson for BT-owned PlusNet told BBC News that it had contacted all of its affected customers and were "working with them closely to protect them as much as possible from further exposure" and would be providing them with "an identity protection service including internet security software free of charge for the next 12 months".

PlusNet said it would now take a more rigorous stance against requests for user data.

"Due to serious concerns about the integrity of the process that is being used by rights holders, we will resist efforts to share more customer details with rights holders and those acting on their behalf until we can be sure that alleged copyright infringements have some basis and customers are treated fairly," the spokesperson told BBC News.

PlusNet said it was running an internal enquiry to ensure "that this type of incident will not happen again" and had alerted the Information Commissioner's Office.

Simon Davies, from the watchdog Privacy International, told BBC News that BT had "comprehensively breached" the Data Protection Act.

"More significantly, they appear to be in contempt of a high court order," he added.

The order, he said, was made in the High Court of Justice before Chief Master Winegarten on 7 July 2010.

The ruling, ordering internet service providers to hand over data to ACS:Law, states that it should be provided in an "electronic text format by way of Microsoft Excel file saved in an encrypted form to a compact disk, or any other digital media".

Mr Davies said he was going to write to the High Court and to the Attorney General and press for proceedings for contempt of court to be brought against BT.

Sky Broadband were also required to hand over lists of users suspected of illegally sharing files, but said they only ever send it in a safe format.

"Like other broadband providers, Sky can be required to disclose information about customers whose accounts are alleged to have been used for illegal downloading," the spokesperson told BBC News.

"Because the security of customer information is also a high priority, we only ever disclose such data in encrypted form," they added.

The news is the latest twist in an ongoing saga after legal firm ACS:Law was targeted by online activists from notorious messageboard 4chan.

ACS:Law has made a business out of sending thousands of letters to alleged net pirates, asking them to pay compensation of about £500 per infringement or face court.

Revenge attack

Users from 4chan, who have a long track record of internet activism, targeted ACS:Law during what it called Operation Payback.

ACS:Law's website was taken down for a few hours and after it was restored, it emerged that the company's e-mail database had been leaked online.

Many of the e-mails contained unsecured documents containing the personal details of thousands of UK broadband subscribers.

Christopher Graham,

Please turn on JavaScript. Media requires JavaScript to play.

UK Information Commissioner Christopher Graham on ACS:Law

Amichai Shulman, chief technology officer of security firm Imperva, told BBC News that the documents emerged not as the result of a hack, but due to a security lapse on the part of ACS:Law.

"Hackers had one point in mind - to cripple the services of the law firm, to disrupt business services and cause humiliation," he said.

"Since ACS:Law's site was corrupted, they've reconstructed it from a back-up location which also included archive files with sensitive information.

"In the reconstruction process - which was probably done in haste - the archives with the sensitive data were copied to publicly accessible locations in the reconstructed website.

"Attackers immediately took advantage of that and downloaded them. They are now going through the stuff in those archives and are making public the 'interesting' data that they find.

"The more time they have to review the files the more public stuff we should expect to find," he added.

A spokesperson for the Information Commissioner Office (ICO) told BBC News that the BT e-mail would be part of its ongoing investigation into ACS:Law, but they would also check to see if they had any specific complaints from PlusNet users.

The UK's Information Commissioner, Christopher Graham, told the BBC that firms who breach the Data Protection Act could face fines of up to half a million pounds.

Are you a Sky broadband customer? Have you received a letter from ACS: Law? Send us your comments using the form below.

I received a letter from ACS Law a couple of weeks ago and was distraught to read that my details had been passed on because of a court order and I was accused of downloading porn illegally. I contacted the company and told them that I had been falsely accused and expressed my concerns. By this stage I was at my wit's end because of the stigma and the threat of being taken to court if I did not pay £500 to ACS. The response did not help me. I was told that a court order had forced them to provide my information and what ACS did with the information was up to them. All of this has made me extremely ill and unable to sleep at night due to worry and stress. Having looked on the internet and found innocent people in the same situation as myself, I am in the process of writing to ACS and refusing to pay. I'm appalled that companies can get away with this kind of behaviour. It's scandalous! I'll continue to worry until the matter is resolved, which I believe may take months, but I take some comfort meanwhile that ACS have quite rightly been exposed.

Simone, South Yorkshire

After reading the article I am both shocked and disgusted that 'confidential' details are so freely available. Any computer hacker could have stolen these details and caused chaos - who knows what else has gone missing? Being suspected of a crime and being proven guilty are two different things, but the people who've been accused could always have a black mark against them. As for IP addresses, in most cases they are shared by several people each month - where do you think the term 'dynamic address' comes from? And anyone in range of a wireless network with the correct tools can hijack any internet connection for any purpose at all.

Anon,

I work in IT with a big focus on security. This could have happened to lots of firms. The people in charge of most companies assume their IT staff have dealt with security and fail to understand the potential impact if their data was released onto the net. As people go through the leaked emails in more detail additional data will be released, I've been through some of the emails myself and within five minutes found a scanned copy of someone's passport. Scary stuff.

Paul, London

I received a letter about four months ago stating that I had downloaded a piece of music, it was written in a way that was intended to scare me into paying the fine. It almost worked but I decided that as I hadn't done anything, why should I pay? After logging on to certain forums to get advice I found a template letter and sent it, saying that I was not responsible for the download. A couple of months later I received another letter saying that my response was not good enough and that I must pay the fine or else be taken to court. Again very scary letters - older members of the public may be frightened into paying the money even though they have not done anything wrong. After sending another letter about a month ago I have not received any response. I think the company needs to be closed down to stop them from sending these threatening letters to innocent members of the public.

Stephen, Northumberland

I don't understand why it is not articulated more clearly, that the IP address used in some file sharing network applications is configurable, i.e. you can set it to anything you like before you start it up. This is called IP spoofing. Consequently many people say that they are wrongfully accused.

Nicholas, London

Surely the questions to be asked are not about security precautions, but why ACS are holding personal data without consent in the first place? Is that not the main point of the Data Protection Act?

Zach, London

It's a shame the UK doesn't have the equivalent to the USA's "Class action" - ACS:Law should be sued by all who have suffered at their hands. I have been wrongly accused of downloading a pornographic movie and as if this wasn't bad enough the information is now probably in the public domain. This data leak could lead to some people being blackmailed.

Henry, Glasgow, Scotland

Posted via email from projectbrainsaver