ACS:Law, a London-based law firm, already reeling from a DDoS attack by 4Chan on its website last week, is now having to pick up the pieces after the content of its email repository was inadvertently displayed on line.

The content of the email, some of it clearly sensitive and now appearing on forums and Internet news websites across the world, includes the names and in some cases, addresses and credit card numbers of internet users accused of using their internet connection via P2P or Torrent sites to upload copyrighted works, leaving it wide open to prosecution under the data protection act and infuriating thousands of internet users. In addition, private communications within the firm have also been revealed after the entire email folder was, ironically, uploaded via PirateBay.

The leak could also jeopardise an ongoing investigation by the Solicitors Regulatory Authority which began after the SRA received hundreds of complaints by internet users, accusing ACS:Law of bullying tactics and using unreliable monitoring software to catch file sharers. Which? has also been critical of letters sent to internet users and the reliability of tracking software used to pinpoint users.

Whilst the ACS:Law web site remains offline, it is unclear just how much data was compromised but it is said to include the names and addresses of internet users accused of using their internet connection to upload copyrighted works, as well as credit card numbers, leaving it wide open to prosecution under the data protection act and infuriating thousands of internet users.

One web site reports that in an effort to dampen down the SRA investigation, Andrew Crossley who heads ACS:Law, said in one email:

"I am trying to think of ways of wrong-footing the SRA and taking the wind out of their sails. My latest wheeze is to contact schools or local authorities and offer to give talks to teenagers at schools about file sharing and why we do what we do. I would offer to do this free of charge and offer it as a service to educate young people not to file share, to prove that the work we do is not all about the money."

Clearly a desperate if not imaginative ruse to force the SRA to call off its hounds, it is unlikely to wash with the SRA which regulates more than 110,000 solicitors in England and Wales, and is now racking up costs and trying to resolve a complaint that is potentially giving the legal profession a bad name.

The investigation, for now, seems to be centered on the wording of letters sent to internet users and the reasoning behind the amounts claimed (which average around £500 per person), but for ACS:Law, which sends thousands of letters through the post, the loss of the data could be enormously damaging for Mr Crossley himself, who bragged of an expensive break in Cannes in May this year which included an evening at one of Cannes most exclusive clubs, a recent purchase of a Bentley Avange and correspondance between Crossley, his wife, and his girlfriend.

Whilst internet piracy remains a serious problem for the publishing and recording industries, ACS:Law clearly see splatter invoicing as a highly lucrative business model. Former cases handled by law firm Davenport Lyons were dropped, due in part to negative publicity, and some staff as well as paperwork was transferred to ACS:Law. Crossley has already indicated to the SRA that he has no intention of ceasing operations unless the SRA can come up with a good reason for him to desist.

Crossley has already had to face questions by the SRA for conduct unbefitting a solicitor after failing to file with the Law Society, Accountant’s Reports. He narrowly escaped being struck off, claiming that he had been struck blind with a stroke, and was beset with problems with a rogue accountant.

The advice by Which? for internet users who receive such letters through the post, is not to ignore them but reply in their own words why they feel they have been wrongly accused. Other support groups have suggested that those accused be careful of any questionaires sent out, refusing to complete them if need be, and keep the reply short and to the point.

One expert told us:

"It is up to ACS:Law to prove that you personally have uploaded any files via P2P web sites. As always, an IP address is no categorical proof that any individual is guilty of copyright infringement. If you give the slightest hint that you 'may' have allowed your connection to be used in this way, your case will go to the top of the list of those they feel are more likely to give in and pay up. Its as simple as that. Defended cases are less lucrative and the entire business model relies heavily on trawling a wide net to catch just a few juicy fish."

Update (Monday 27th September 2010):

Privacy International has announced its intention take legal action against ACS:Law for the breach of sensitive personal details and is urging those who may be affected, some of whom are said to be Sky broadband customers, to take steps to secure their bank accounts and credit cards if they were supplied to ACS:Law.

Update (Tuesday 28th September 2010):

Christopher Graham, Information Commissioner, has confirmed that ACS:Law is to be investigated following what now appears to be a case of gross negligence in terms of protecting crucial and potentially sensitive data. He said that anyone holding personal information had to "take their responsibilities seriously or there will be trouble."

The ICO can levy fines of up to £500,000 for failing to have in place suitable safeguards to protect data and it is clear that whilst the DDos attack by 4Chan brought the ACS:Law web site to a standstill (the DNS records having been suspended as a result), the breach of security was down to ACS:Law or its web administrator, with personal details of thousands of internet users now in the public domain.

Recent figures suggest that if the Information Commissioner were to impose the maximum fine, it could almost wipe out any profits made by ACS:Law through its anti-file sharing business model, plus some speculation that ACS:Law could simply fold under the weight of financial penalties and a forthcoming Disciplinary Tribunal (the result of an ongoing investigation into by the Solicitors Regulatory Authority which is still pending) - and which could see further fines.

Sky today confirmed that it had suspended all co-operation with ACS:Law with immediate effect until ACS:Law could demonstrate adequate measures to protect the security of personal information.

BT went further, saying it was concerned about the integrity of the process used by rights holders to obtain customer data from ISPs for pursuing alleged copyright infringements, a point of view shared by Which? and others.

It is unclear if or when the ACS:Law web site will return although Mr Crossley who heads ACS:Law said in a brief statement today that his company was "open for business".

The question on most people lips would be: 'yes but for how long?'

Speaking to the BBC, privacy expert Simon Davies said that anyone who suspected their details may have been included in the email leak can lodge a request with ACS:Law called a Subject Access Request. Such a request would disclose all personal information held on a person, including e-mails, memos, documents and files. A person can ask for this information to be deleted if it is excessive, out of date, or wrong. However, removing details from the lists already circulating on the internet is impossible as there are so many copies in multiple locations.

Hellmail news and articles are licensed under a Creative Commons License. and may be reproduced if a return link is provided. If you wish to quote particular sections of this article in your own work, you must seek formal approval from the Hellmail editor first - except where displaying Hellmail content automatically via Feedburner or our Rss feed or Webmaster code and you own that site.