BT Dragged Into Porn Data Breach At Law Firm

The fallout from the data breach at UK law firm ACS:Law continues, after BT admitted that it sent the personal details of more than 500 of its own customers in an unencrypted document following a court order.

The incident began on Friday 24 September, when the unencrypted details of thousands of broadband users from BSkyB, who were thought to be illegally sharing pornography, were revealed in plain sight on the website of ACS:Law.

Sky has now reportedly cuts all ties with ACS:Law.

Personal Details Exposed

This exposing of the personal details of alleged content copiers was apparently the result of a distributed denial-of-service (DDoS) attack. ACS:Law’s website was still offline on Wednesday 29 September.

ACS:Law achieved notoriety for its letter-writing campaigns to individuals suspected of illegal file-sharing under the terms of the Digital Economy Act. This included a 78 year-old man, who was falsely accused of downloading pornography.

But the data breach has now become so serious that the Information Commissioner’s Office (ICO) has confirmed it is investigating, which could potentially lead to a penalty of £500,000 for ACS:Law.

And now BT has been dragged into the furore over the incident.

BT Admits Uncrypted Data

“BT can confirm that it did send unencrypted data to ACS:Law. However, this was not the cause of the leak,” a BT spokesperson told eWEEK Europe UK via email. “At a later date, due to a cyber-attack on the systems of the law firm, data that it held was leaked. At this time we do not believe any of BT’s customers details have been compromised, although we are continuing to pressure ACS Law for confirmation of this. We were obliged to comply with court orders to provide information to ACS Law, as was any other ISP, where they were served with such orders.”

But BT admitted that it had sent out the personal details of its customers in an unencypted file.

“We are investigating how we came to be sending unencrypted data as we have robust systems for managing data,” the BT spokesperson said. “We have already ensured that this type of incident will not happen again, launched an internal enquiry and we have alerted the Information Commissioner’s Office.”

“As a result of this incident, the BT subsidiary, Plusnet, will be providing its 316 affected customers with an identity protection service including internet security software free of charge for the next 12 months,” BT added. “Plusnet will contact customers directly regarding this over the coming days.”

Resisting Efforts

And BT, which has already voiced its concerns over the Digital Economy Act, along with TalkTalk and other ISPs, has said it resist efforts to share customers details in the future until is it satisfied that the allegations will be treated fairly.

“Due to serious concerns about the integrity of the process that is being used by rights holders, we will resist efforts to share more customer details with rights holders and those acting on their behalf until we can be sure that alleged copyright infringements have some basis and customers are treated fairly,” said BT.

Privacy activist group Privacy International (PI) has already said that it plans to file a lawsuit against ACS:Law for having exposed such personal details to the public.

Meanwhile users are being urged by anti-ACS campaigners to contact their ISPs and demand a statement from them that they will not give up any details to ACS:Law and Andrew Johnthan Crossley, the lawyer at the centre of this campaign.