The recent cyber attack on the ACS Law website has once again raised the issue of website security and data protection.
ACS Law is a UK based law firm who specialise in detecting potentially illegal downloading of copyrighted material. The firm hires the service of a detection company who provide the IP addresses of persons suspected of illegal downloading and ACS then seeks a court order requiring the relevant Internet Service Provider to disclose the name and address of the person using the IP address. ACS sends a letter to the person in question stating that they are suspected of breaching copyright and offering to settle the matter for a sum often in the region of £500.
ACS has been heavily criticised by the internet community for their perceived strong armed approach and, somewhat inevitably, were recently the target of a Distributed Denial of Service (“DDoS”) attack against their website. This DDoS attack successfully took the website offline, however in the process of restoring the site the firm’s directories were inadvertently posted publicly on the site’s homepage. The folders contained highly confidential emails the contents of which were soon being shared on online discussion boards and being made available for download through file sharing websites. The emails contained personal details of thousands of UK broadband users who were being accused of illegally downloading copyrighted material.
The highly sensitive nature of this information has attracted the attention of the UK Information Commissioner who has commenced an investigation into the data breach. The Commissioner can impose a fine of up to £500,000 and he has stated that the firm has serious questions to answer concerning the adequacy of encryption, the firewall, the training of staff and why the information was so public facing. This incident has also led to a number of UK Internet Service Providers challenging court applications from firms such as ACS which seek to obtain the names and addresses of persons they suspect of illegal file sharing.
The problems now facing ACS Law could also potentially affect any company who operate a website, as can be seen by the recent cyber attack on the CAO website during the publication of the Leaving Cert results. More and more companies are facing cyber attacks and this incident highlights the importance of ensuring that adequate plans are in place to deal with these types of attacks. This should include appropriate staff training, encryption of sensitive data and firewalls designed to cope with an attack of this nature.
For further information or if you have any queries please contact either David Cullen or Leo Moore of our Data Protection department.