Updates to this story
BT has confirmed it sent customer details in unencrypted Excel spreadsheets as email attachments to the legal firm ACS:Law.
BT said this morning it was investigating how this had happened and was still waiting for ACS: Law to let it know if any of its customer details had been compromised by the leak.
When asked if the details were sent unencrypted, a BT spokeswoman told TechEye: “I can confirm that this did happen but has no bearing on the current situation.
“We are investigating how this occurred as we have robust systems for managing data. We have already ensured that this will not happen again. In this circumstance our legal department sent data to a firm of solicitors (ACS Law) which reached them safely and we trusted that they would keep the data safe.
“At a later date, due to an attack on the systems of the law firm, data was leaked, which was outside of our control. At this time we do not believe any of BT's customers details have been compromised by this leak, although we are continuing to pressure ACS Law for confirmation of this.”
BT is among those ISPs that sent customer details to the controversial ‘anti-piracy’ legal firm after it wrote asking for help identifying which of its customers had IP addresses found on file sharing sites. A series of "denial of service" attacks then led to thousands of customer details being exposed on the internet.
In an earlier statement, BT had sought to allay customer fears, saying: "Our first concern is with our customers but we have been obliged to respond to court orders requiring that we disclose customer data.
“However, there is increasing evidence that there are deep concerns regarding the integrity of the process being used by rights holders to obtain customer data from ISPs for pursuing alleged copyright infringements.
“We need to have further confidence that the initial information gathered by rights holders is robust and that our customers will not be treated unfairly. We are urgently exploring how this can be assured, including through the assistance of the courts."
The Information Commissioner’s Office (ICO) said this morning that it was in contact with ACS: Law but was not currently investigating the firm.
A spokesman said: “The ICO takes all breaches of the Data Protection Act very seriously. Any organisation processing personal data must ensure that it is kept safe and secure. This is an important principle of the Act. The ICO will be contacting ACS:Law to establish further facts of the case and to identify what action, if any, needs to be taken.”
Meanwhile, ACS: Law has been cut off by its ISP Sky Broadband. And BSkyB said it would no longer co-operate with the solicitors’ firm after 4,000 Sky customers had their details leaked.
Yes robust systems indeed. Excel spreadsheet email attachments in unencrypted form. Top notch!
They have no business sending anyones details to any 3rd party since there is no definitive evidence of illegal filesharing other then the use of the very legal and very academic bittorrent protocol, this is a breech of privacy and international law.
Again you are reporting the wrong facts
1. the site was not hacked, it suffered a denial of service attack along with a number of other sites.
2. the data was not stolen, it was made available to the internet by a fact of it being located on the root directory of an internet facing server with no protection.
3. the people named were not guilty of anything, they had been accused with very little evidence - just an ip address. they are therefore "alledged"
4. the information was not just about Porn, but Music and games.
5. the information should have been encrypted not passsed around the company by email in an unencrypted excel spreadsheet.
6. there is much more to this than what has been published here,
7. Emails in the data, show that the evidence is very unreliable and that they would have no chance of proving any infringement if it wen to court. hence why no one has ever been taken to court in the uk by this firm.
8. by the way it is the same "evidence" as is being used by the USCG.
USA consider that!
Oh i nearly forgot, the data sent to ACS Law in unencrypted form was not just their data but Plusnet as well,
That these court orders are now being relied upon by the BT etc. as a red herring to distract from their gross negligence in failing to adequately protect their own customers' data from this scammer is frankly patronising and shoddy.
This, combined with their continued insistence that the leak occurred directly as the result of a "criminal attack" on ACS's systems (when the reality is that the data were simply made available by ACS on their public website /after the fact/ of the DDoS attack to which these spineless idiots are referring) means that BT etc. are basically gutless collaborators and imo just as guilty as Crossley, if not more so.
You don't need to ask ACS, just download the torrent and you'll see 500 IP's, names, addresses and postcodes for the world to see. So they have been compromised and you owe every one of them an apology!
OF THE EARTH!!!!..... I HOPE BT Loses Customers FOR THIS AND FOR ITS OVER PRICED CRAP BROADBAND COS THEY ALREADY LOST MINE ANY WAY.
http://www.wiredvc.com/acslaw-159and-the-33norwich-pharmacal-orders/
This is bullshit. The data did not leak due to the DDoS attack. It leaked because they stored unencrypted emails on a public facing server. ACS should stop blaming script kiddies for mistakes of their incompetent staff. Techeye should mention this important fact in the article so that the tech-unsavvy readers can understand who is really at fault here.