Data relating to customers of the Sky Broadband service has been exposed, after a leak was caused when a distributed denial-of-service attack (DDoS) was levelled against a legal practice involved with the firm.
ACS:Law unwittingly compromised the integrity of email addresses used by over 1000 people. Criminals quickly posted the files to P2P file sharing site The Pirate Bay and many of its users have already downloaded the documents.
Among the other data stolen in this incident is a document which details the personal information of Sky Broadband subscribers, including the downloads of adult movies which they have accessed in the past or distributed online, which could be extremely damaging and potentially leveraged for blackmail or fraud.
The documents were completely unencrypted, leaving them open to access by anyone who downloads them.
In an attempt to remedy the situation, the legal firm has mailed the people implicated in the online piracy ring and said that they must compensate those affected by paying £500 each. The threat of court action is hanging over those who refuse to pay.
ASC:Law was targeted with a DDoS attack by users of 4chan because of the actions which it has been taking to prevent online piracy, according to BBC News.
A Sky representative said that the data loss incident within ASC:Law was being treated with the utmost concern and attention and that an investigation was ongoing. They explained that they had been legally obliged to provide the law firm with details of users who had used illegal file sharing sites, but said that any time they did so they would ensure that the data was properly encrypted.
ASC:Law now faces scrutiny from the Information Commissioner’s Office (ICO) and a spokesperson said that the security and acceptability of its systems would be questioned, as it is clear that third parties could gain access to sensitive information with relative ease.
The ICO’s Christopher Graham, said that everything from the firm’s data encryption policies to its firewall and employee training techniques, would have to be examined in order to see whether or not it has breached the terms of the Data Protection Act. He pointed out that under relatively recent changes to ICO powers, a maximum fine of £500,000 could be imposed.
