MarkJ writes:
Controversial solicitors firm ACS:Law UK (Andrew Crossley), which last week had all of its dirty email communication laundry leaked across the internet (here), is now facing more problems after Privacy International (PI) announced that it would take legal action against the firms breach of sensitive personal details.
The emails were reportedly revealed on the evening of Friday 24th September 2010, as part of an unencrypted backup file, after ACS:Law allegedly attempted to restore their website following an extensive Distributed Denial-of-Service (DDoS) attack last week. This exposed an archive of messages containing confidential information that spanned almost three months across several accounts.
Read more on ISPReview.
John Leyden of The Register provides more of the background on the breach:
Other targets of Operation: Payback is a bitch included solicitors ACS:Law and Davenport Lyons. During attempts to re-establish ACS:Law’s website it seems a compressed copy of what seems to be at least part of the firm’s email database, contained in site backups, was exposed online. Hackers extracted this webmail file and made it available via torrent trackers and posted it on a limited number of websites over the weekend.
“Their site came back online [after the DDoS attack] – and on their front page was accidentally a backup file of the whole website (default directory listing, their site was empty), including emails and passwords,” a leader of the attacking group told TorrentFreak.
The press release from Privacy International states that the breach includes
…vast amounts of information on thousands of internet users. While the full extent of this breach is not yet known, one report stated that among the stolen files is a single email containing the personal information of approximately 10,000 people assumed to have been involved in file-sharing of pornographic works, exposing their names, addresses, postcodes, and Internet protocol addresses. Other reports indicate that credit card details have also been made available.
According to Alexander Hanff, PI Advisor: “This data breach is likely to result in significant harm to tens of thousands of people in the form of fraud, identity theft and severe emotional distress.”
“This firm collected this information by spying on internet users, and now it has placed thousands of innocent people at risk.”
PI is preparing a complaint to submit to the Office of the Information Commissioner (ICO), alleging violation of the U.K.’s Data Protection Act. Whether the ICO might sympathetic as the web site exposure occurred as the law firm was trying to restore its site following a ddos attack remains to be seen.