BT admits giving unencrypted personal data to ACS:Law

29 Sep 2010

BT has admitted to sending personal information of more than 500 customers unencrypted to legal firm ACS:Law after a court order. This comes after a huge security lapse at the legal firm, which saw lists leaked to the internet of people’s names, addresses and their alleged illegal downloads of music and pornography.

The unsecured documents were sent to Andrew Crossley from ACS:Law by Prakash Mistry, a lawyer from BT.

“In accordance with the Court’s Order of 17 February 2010 (‘the Order’), please find enclosed the data in accordance with paragraph 1 of the Order,” wrote Mistry in the email.

“Please acknowledge safe receipt and that the data will be held securely and shall be used only in accordance with the provisions of the Order,” he added.

Two documents were sent out by BT – one listed 413 users which ACS:Law believed were sharing a music track called Evacuate the Dancefloor and a second document with more than 130 PlusNet users who were believed to be illegally sharing pornography.

“In answer to the question above about whether we sent out customer details in unencrypted files, I can confirm that this did happen,” wrote a BT community moderator on the firm’s PlusNet forums.

“We are investigating how this occurred as we have robust systems for managing data. We have already ensured that this will not happen again.

“In this circumstance, our legal department sent data to a firm of solicitors (ACS:Law) which reached them safely and we trusted that they would keep the data safe,” he said.

Customers contacted

A BT-owned PlusNet spokesperson said it had contacted all affected customers are were working closely with them to protect them from further exposure.

Sky said that they only handed lists of personal information regarding file sharing in a safe format.

“Like other broadband providers, Sky can be required to disclose information about customers whose accounts are alleged to have been used for illegal downloading,” said a spokesperson.

“Because the security of customer information is also a high priority, we only ever disclose such data in encrypted form,” they said.

ACS:Law’s website experienced denial of service attacks by users of message board 4chan, who are opposed to its anti-piracy aims. The initial list appeared online after this attack.

According to The Register, people involved said that the data was exposed on directories on ACS:Law’s homepage, a mistake it made while trying to bring the site back up after the DDoS attack, meaning that there was no “hacking” involved in finding the lists.

The firm sends thousands of letters to alleged internet pirates, asking them to pay £500 per infringement or face court.

ACS:Law was one of the numerous entertainment-industry affiliated companies to receive such attacks from 4chan users.