ACS Law hacking a text-book case that exposes several weaknesses

The hacking of anti piracy law firm ACS Law that led to the exposure of the personal details of more than 5,000 alleged file sharers who are Sky broadband customers, has been described as one of the worst ever breaches of the UK Data Protection Act.

But privacy watchdog, the Information Commissioner’s Office (ICO), could not have asked for a better case to highlight the issue.

The case has exposed several weaknesses, which are undoubtedly common to many UK organisations handling personal information, and highlighted the potential business impact.

It was interesting to read that Andrew Crossley, who runs ACS Law, told the BBC that the business remains intact. Obviously, his concern about the effect of the breach on the firm’s reputation is paramount.

Unsurprisingly, Sky has suspended all co-operation with ACS Law.

The case is also a perfect example case of the ICO to potentially exercise its new powers to levy a £500,000 fine for serious data breaches because Crossley has attempted to excuse the breach by saying it was the result of a criminal attack.

The ICO has said this is not an adequate defence and serves as no excuse. 
It has emerged that ACS Law was targeted by a DDOS attack and a subsequent Web server and email hack. The leaked personal details were contained within an unencrypted file attached to a hacked email message.

ACS: Law has been criticised for operating a poorly configured network and Web server that failed to adequately safeguard the personal details that it collected.

Andrew Wyatt of software security firm Clearswift says the ACS Law breach should serve as a wake up call to educate themselves on the security of their business information.

Richard Walters, chief technology officer of security firm Overtis, says organisations holding large amounts of personally identifiable data must automatically isolate and encrypt any databases that could breach people’s privacy were they to be stolen, lost or leaked.
“This sensitive data should have been encrypted and never associated with any form of external web application,” he says.

Amichai Shulman, chief technology officer at security firm Imperva says the moral of this story is surprisingly not about web security but rather about sensitive data stored in an unstructured format.

“While organizations are keeping themselves busy with protecting data in its structured format within databases or as it flows out of web applications a new threat is quickly becoming apparent: the dissemination of sensitive data from structured repository into unstructured formats  such as text documents,” he says.

In its unstructured format the sensitive information is flowing around the organization almost unmonitored and uncontrolled, says Shulman.

“It is time for organizations to get ready to fight this new battleground of keeping close track of unstructured information repositories and controlling their flow around and outside their organization,” he says.

ACS Law, could have done everyone a big favour, not least the ICO. It could soon be the poster child for how NOT to handle sensitive business information. 

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Get your facts right ! THERE WAS NO HACK. The idiots left the root of the server wide open when they tried to restore the website and conveniently exposed the emails backups for all to see.
THERE WAS A HACK... At least in the sense that the website was downed by a DDOS attack by malefactors loosely termed "hackers". That did lead to the exposure of the details, which were published, possibly by the original attackers, even though that was probably not the aim of the attack. So although the details were not, strictly speaking, hacked directly, the incident still exposes weaknesses that are likely to be present in many organisations, and will hopefully be a wake up call.
I'm afraid this incident will not even scratch the surface of bad IS security practices. Its everywhere, and I'm afraid all but the biggest companies do not see this as a priority (and a large expense) to rectify. Until IT is again perceived as a benefit to firms and not a necessary evil, this will continue. ACS Law will be one of the many firms this will happen too in the the next 10 years. A massive fine should make them take notice a bit quicker however. I personally would throw the book at them as these firms extorting money out of normal people are about as low as you can get.
Very liberal use of the word hack, the DDoS attack crippled the web server, sloppy admin practices restored an unencrypted insecure backup file onto a server with no security in place, this was available for all to see - so people grabbed it and it ended up being shared on P2P networks worldwide ... hardly a hack, the main issue here is amazingly sloppy server admin procedures coupled with a blatant disregard for data which should have been encrypted ... ACS Law are hardly a victim here, they were bullies who harassed people ...
Calling it a hack is somewhat misleading, since that implies a deliberate attempt to compromise the site's security. The attackers didn't set out to obtain data, they merely intended to disrupt the working of the website. It was the actions of the site administrators in trying to recover from the disruption that placed the data on public view. An analogy would be a group of protesters occupying the foyer of a business in order to stop staff and customers entering. In the process of evicting the protesters, staff accidentally dropped some folders containing confidential data on the floor, where they were later retrieved by passers-by. Whether you agree with the actions of the protesters or not, they were only tangentially responsible for the loss of data.
I wouldn't call it hacking. That's the wrong word! I hate it when people (especially news writers) fail to understand the correct meanings behind the words. ACS:law was never hacked. It was attacked by Denial of Service attacks = DDoS attacking. "A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers." *Wikipedia* "a hacker is a person who breaks into computers and computer networks" *Wikipedia* I repeat myself: ACS was never hacked! Their network / server was never broken into. It was attacked by a DDoS attack!
No matter what the attack. Once again the Parasites of this most upstanding of British Institutions will walk away unblemished .... with their reputation 'Intact'. Poeple like Crossley have a habit of climbing out of barrels of Dung ..... smelling of Roses !
Does it really matter whether it was a hack or DDoS? The fact is personal data was compromised. This is not the first, nor will it be the last data breach that would occur. However, unless the ICO shows that it has teeth there will continue to be many such incidents. This is not about to do the minimum to remain compliant, but being totally committed to protecting sensitive data thereby avoiding reputational damage.
I think it does, their web server could have failed for any reason, it was their restore / security process that was at fault. The fact that the server failed due to a DDoS was incidental to the security breach. Also the company had chosen to enter a very dubious market that significantly increased their security risks. They had a greater duty of care to protect their data as they were choosing to make themselves targets of civil disobedience.