ACS Law hacking a text-book case that exposes several weaknesses

The hacking of anti piracy law firm ACS Law that led to the exposure of the personal details of more than 5,000 alleged file sharers who are Sky broadband customers, has been described as one of the worst ever breaches of the UK Data Protection Act.

But privacy watchdog, the Information Commissioner’s Office (ICO), could not have asked for a better case to highlight the issue.

The case has exposed several weaknesses, which are undoubtedly common to many UK organisations handling personal information, and highlighted the potential business impact.

It was interesting to read that Andrew Crossley, who runs ACS Law, told the BBC that the business remains intact. Obviously, his concern about the effect of the breach on the firm’s reputation is paramount.

Unsurprisingly, Sky has suspended all co-operation with ACS Law.

The case is also a perfect example case of the ICO to potentially exercise its new powers to levy a £500,000 fine for serious data breaches because Crossley has attempted to excuse the breach by saying it was the result of a criminal attack.

The ICO has said this is not an adequate defence and serves as no excuse. 
It has emerged that ACS Law was targeted by a DDOS attack and a subsequent Web server and email hack. The leaked personal details were contained within an unencrypted file attached to a hacked email message.

ACS: Law has been criticised for operating a poorly configured network and Web server that failed to adequately safeguard the personal details that it collected.

Andrew Wyatt of software security firm Clearswift says the ACS Law breach should serve as a wake up call to educate themselves on the security of their business information.

Richard Walters, chief technology officer of security firm Overtis, says organisations holding large amounts of personally identifiable data must automatically isolate and encrypt any databases that could breach people’s privacy were they to be stolen, lost or leaked.
“This sensitive data should have been encrypted and never associated with any form of external web application,” he says.

Amichai Shulman, chief technology officer at security firm Imperva says the moral of this story is surprisingly not about web security but rather about sensitive data stored in an unstructured format.

“While organizations are keeping themselves busy with protecting data in its structured format within databases or as it flows out of web applications a new threat is quickly becoming apparent: the dissemination of sensitive data from structured repository into unstructured formats  such as text documents,” he says.

In its unstructured format the sensitive information is flowing around the organization almost unmonitored and uncontrolled, says Shulman.

“It is time for organizations to get ready to fight this new battleground of keeping close track of unstructured information repositories and controlling their flow around and outside their organization,” he says.

ACS Law, could have done everyone a big favour, not least the ICO. It could soon be the poster child for how NOT to handle sensitive business information.