In the wake of the epic email database breach which was first reported here on Slyck.com
, the omnidirectional broadside against the anti-piracy law firm ACS:Law continues. The ISP Sky Broadband today stated they cut off further cooperation with ACS:Law due to the email breach and will only resume when proper security measures are taken. Although there's still a mountain of information still under analysis, at least
4,000 Sky customers had their information leaked into the wild thanks to sloppy web server administration and the lack of data encryption procedures.
The exposure of ACS:Law's database was like watching a train wreck happen at 5 miles per hour. During the morning hours (EST) of September 24, the ACS:Law website was still inoperable - the ISP had wisely taken the site offline because of a previous DDoS (Distributed Denial of Service) attack. Any attempt to visit the site was greeted by the typical "Web site cannot be found" error message that most browsers display - then the inevitable train wreck happened.
What happened next was nothing short of inexplicable madness. The site was once again resolvable, however, instead of the typical ACS:Law website being displayed, the root directory and several files were instead made available. One of those files was a backup file - all the world could do at that point is shake their head in amazement and wait until all hell broke loose. And it did.
First came news of the contents of the email - truly terrifying stuff. And not so much because of the way ACS:Law conducts business, but the ultimate exposure of thousands of individual's personal information - their IP addresses, their names, addresses, and the pornography they're accused of sharing. There is no specific total yet, but we know it's at least
in the thousands with the potential to be significantly higher. In response, Privacy International, a consumer advocacy group based in the UK, has filed a complaint
with the British government's ICO office.
Sky Broadband today issued a press release
on the matter, identifying significant privacy concerns. Sky is one of several ISPs who have given up their data to ACS:Law - with little noticeable resistance. It appears that 4,000+ Sky customers may have been affected by ACS:Law's lack of security measures.
"We have suspended all co-operation with ACS:Law with immediate effect. This suspension will remain in place until ACS:Law demonstrates adequate measures to protect the security of personal information."
Sky might be waiting for an event that may never happen. Currently, ACS:Law is possibly facing a £500,000 fine for the serious lapse of security, with the ICO taking this situation rather gravely.
"The question we will be asking is how secure was this information and how it was so easily accessed from outside," said Christopher Graham, UK Information Commissioner to the BBC
. Graham added, "I can't put ACS: Law out of business, but a company that is hit by a fine of up to half a million pounds suffers real reputation damage."
With its reputation lower than absolute zero and the potential for a £500,000 (about $750,000) fine, we question whether it’s possible for ACS:Law to ever engage in anti-piracy operations again. Don't forget, Sky is no hero here, they actively divulged their customer's information and were part of the mass monetary demand process. But at least this is a positive first step to make some kind of amends.