BT embroiled in ACS:Law porn list breach

By Daniel Emery
Technology reporter, BBC News

image captionThe spreadsheet of PlusNet users was sent in an unsecure format by a BT lawyer

BT has admitted it sent the personal details of more than 500 customers as an unsecured document to legal firm ACS:Law, following a court order.

The news could put BT in breach of the Data Protection Act, which requires firms to keep customers' data secure at all times.

The e-mails emerged following a security lapse at ACS:Law.

A BT official admitted "unencrypted" personal data was sent, adding it "would not happen again".

The unsecured Excel documents were sent in late August by Prakash Mistry, a lawyer working for British Telecom, to Andrew Crossley - who runs ACS:Law.

"In accordance with the Court's Order of 17 February 2010 ("the Order"), please find enclosed the data in accordance with paragraph 1 of the Order," wrote Mr Mistry in the e-mail.

"Please acknowledge safe receipt and that the data will be held securely and shall be used only in accordance with the provisions of the Order," he added.

Keep it safe

However, while BT requested that the personal information be held securely, the data was sent in a unencrypted document that could be read by anyone accessing the e-mail.

Two separate documents were sent out by BT. One with a list of 413 users which ACS:Law thought were sharing a music track called Evacuate The Dancefloor and a second document with more than 130 PlusNet users alleged to be sharing pornographic material.

"We are investigating how this occurred as we have robust systems for managing data.

"We have already ensured that this will not happen again.

"In this circumstance our legal department sent data to a firm of solicitors (ACS:Law) which reached them safely and we trusted that they would keep the data safe," he added.

A spokesperson for BT-owned PlusNet told BBC News that it had contacted all of its affected customers and were "working with them closely to protect them as much as possible from further exposure" and would be providing them with "an identity protection service including internet security software free of charge for the next 12 months".

PlusNet said it would now take a more rigorous stance against requests for user data.

"Due to serious concerns about the integrity of the process that is being used by rights holders, we will resist efforts to share more customer details with rights holders and those acting on their behalf until we can be sure that alleged copyright infringements have some basis and customers are treated fairly," the spokesperson told BBC News.

PlusNet said it was running an internal enquiry to ensure "that this type of incident will not happen again" and had alerted the Information Commissioner's Office.

Simon Davies, from the watchdog Privacy International, told BBC News that BT had "comprehensively breached" the Data Protection Act.

"More significantly, they appear to be in contempt of a high court order," he added.

The order, he said, was made in the High Court of Justice before Chief Master Winegarten on 7 July 2010.

The ruling, ordering internet service providers to hand over data to ACS:Law, states that it should be provided in an "electronic text format by way of Microsoft Excel file saved in an encrypted form to a compact disk, or any other digital media".

Mr Davies said he was going to write to the High Court and to the Attorney General and press for proceedings for contempt of court to be brought against BT.

Sky Broadband were also required to hand over lists of users suspected of illegally sharing files, but said they only ever send it in a safe format.

"Like other broadband providers, Sky can be required to disclose information about customers whose accounts are alleged to have been used for illegal downloading," the spokesperson told BBC News.

"Because the security of customer information is also a high priority, we only ever disclose such data in encrypted form," they added.

The news is the latest twist in an ongoing saga after legal firm ACS:Law was targeted by online activists from notorious messageboard 4chan.

ACS:Law has made a business out of sending thousands of letters to alleged net pirates, asking them to pay compensation of about £500 per infringement or face court.

Revenge attack

Users from 4chan, who have a long track record of internet activism, targeted ACS:Law during what it called Operation Payback.

ACS:Law's website was taken down for a few hours and after it was restored, it emerged that the company's e-mail database had been leaked online.

Many of the e-mails contained unsecured documents containing the personal details of thousands of UK broadband subscribers.

media captionChristopher Graham: "Anyone who holds personal information has got to take their responsibilities seriously"

Amichai Shulman, chief technology officer of security firm Imperva, told BBC News that the documents emerged not as the result of a hack, but due to a security lapse on the part of ACS:Law.

"Hackers had one point in mind - to cripple the services of the law firm, to disrupt business services and cause humiliation," he said.

"Since ACS:Law's site was corrupted, they've reconstructed it from a back-up location which also included archive files with sensitive information.

"In the reconstruction process - which was probably done in haste - the archives with the sensitive data were copied to publicly accessible locations in the reconstructed website.

"Attackers immediately took advantage of that and downloaded them. They are now going through the stuff in those archives and are making public the 'interesting' data that they find.

"The more time they have to review the files the more public stuff we should expect to find," he added.

A spokesperson for the Information Commissioner Office (ICO) told BBC News that the BT e-mail would be part of its ongoing investigation into ACS:Law, but they would also check to see if they had any specific complaints from PlusNet users.

The UK's Information Commissioner, Christopher Graham, told the BBC that firms who breach the Data Protection Act could face fines of up to half a million pounds.

More on this story

Around the BBC

Related Internet Links

The BBC is not responsible for the content of external sites.