ACS: Law faces lawsuit after ‘porn pirates’ leak

A law firm which goes after internet users it suspects of illegally sharing copyright material is facing legal action after it inadvertently published its targets' sensitive personal data online.

Secret emails which were also leaked have raised doubts about ACS: Law's methods.

An unencrypted list of the names of at least 4,000 Sky broadband users and the titles of porn movies ACS: Law suspects they file-shared online, plus 1,000 confidential emails and some web users' credit card details, appeared on the company's server on the evening of September 24 – and was quickly spread around the internet.

And the BBC reports today that another two lists have surfaced on the web, with the names of more than 8,000 Sky broadband subscribers and 400 PlusNet users. It is not clear whether these were part of the original leak.

As ACS: Law's Andrew Crossley was keen to point out, the leak came after "a criminal attack" on the company's systems. What is less clear is whether that excuses the company for allowing the confidential data to be made public.

ACS: Law's servers were targeted by the amorphous 'Anonymous' activist group, which has links to 4chan, the imageboard that functions as a sort of web-geek hive-mind. They were subjected to a sustained denial-of-service (DoS) attack.

DoS attacks are a favourite way of inconveniencing organisations with a website and involve bombarding the target's servers with so much traffic that they collapse under the strain. They are illegal in the UK.

ACS: Law and other organisations fighting internet piracy were targeted by Anonymous in retaliation after the Motion Picture Association of America hired a software firm in India, where DoS attacks are legal, to hit file-sharing websites such as the Pirate Bay using the same methods.

The Daily Telegraph reports today that "hackers opposed to the company's activities deliberately targeted the firm's database before posting details online" but internet experts Privacy International

(PI) say the data was accidentally made public by ACS: Law itself, as part of an unencrypted backup file when the company allegedly attempted to restore its website after the DoS attack.

The DoS attack itself is not a 'hack' – it's not an attempt to gain access to servers and internal information, but simply to render them useless from the outside.

Now non-profit campaigning group PI says it will take legal action over a data breach which "is likely to result in significant harm to tens of thousands of people". The UK's Information Commission is also investigating.

Emails included in the file may lend support to charges made against ACS: Law this August when the Solicitors Regulatory Authority referred it to a disciplinary tribunal for sending bullying demands for money to people on the list.

The website ISP Review yesterday quoted from one of the leaked emails.

It reads: "I think pursuing individual infringers will 'scare' them into paying up, more than what Lawdit or other representative would advise their client." ·