ACS Law data breach highlights hidden security weakness, says Imperva

The distributed denial of service (DDoS) attack on law firm ACS Law that led to the leak...

The distributed denial of service (DDoS) attack on law firm ACS Law that led to the leak of the personal details of thousands of illegal file-sharing suspects, highlights a hidden security weakness in unstructured data, says security firm Imperva.

The attackers' aim was to cripple the services of the controversial law firm, which has recovered thousands of pounds by threatening alleged online pirates with court proceedings.

But in a hasty reconstruction of the law firm's website from a back-up location, archives containing the sensitive information were copied to publicly accessible locations in the reconstructed site, according to Amichai Shulman, chief technology officer at Imperva.

The attackers, or some third party, immediately took advantage of that and published the information online.

"They are now going through the stuff in those archives and are making public the 'interesting' data that they find, and the more time they have to review the files the more public stuff we should expect to find," said Shulman.

The moral of this story is surprisingly not about web security. Instead, it is about sensitive data stored in an unstructured format, he said.

According to Shulman, organisations typically focus on protecting data in its structured format within databases or as it flows out of web applications, but tend to forget about the dissemination of sensitive data from structured repository into unstructured formats such as Microsoft Office files.

"In its unstructured format the sensitive information is flowing around the organisation almost unmonitored and uncontrolled," said Shulman.

It is time for organisations to get ready to fight this new battleground of keeping close track of unstructured information repositories and controlling their flow around and outside their organisation, he said.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.