DDoS victim faces fine for privacy breach

The UK's Information Commissioner Christopher Graham has confirmed that legal firm ACS:Law - the victim of a distributed denial of service attack by Anonymous 4Chan users - is not able to use the attack as an excuse for its failure to protect personal information.

UK-based ACS:Law is one of several anti-piracy bodies - including Australia's AFACT - that has been targeted in attacks by large numbers of Anonymous users.

ACS:Law documents exposed in the aftermath of the attack revealed the extent to which it had convinced alleged file-sharers in the UK into paying thousand dollar per allegation settlements to avoid litigation.

On Tuesday, Commissioner Graham confirmed his office would investigate the alleged data breach, which had exposed the details of tens of thousands of ACS:Law's targets.

A new list was also leaked - a list which contained the personal details of 8,000 Sky Broadband subscribers that had been in ACS:Law's possession, according to a BBC News report.

Graham told the BBC that the breach appeared to be "pretty serious" and that he could issue a fine of up to £500,000 (AU$817,000) under the UK's Data Protection Act.

"The question we will be asking is: how secure was this information, how was it so easily accessed from outside?" said Graham.

Any claim by ACS:Law that it was a victim of a DDoS attack would not pass as an excuse for exposing people's private details, he said.

"That excuse doesn't wash... Speaking generally, companies with opponents are subject to cyber-attack and we have got to have in place adequate firewalls and protection and procedures and staff training."

"And what are we doing holding all this information anyway? Is it still of use? Should we be getting rid of it?"

The leaked emails revealed that ACS:Law's anti-pirate campaign had netted the company over £600,000 (AU$989,000) in two years.

Yesterday, advocacy group Privacy International called upon the commissioner to investigate the breach.

The leak apparently occurred after ACS:Law accidentally posted a backup of its email database to its website when it attempted to recover from a distributed denial of service attack launched by 4Chan message board pranksters under a campaign called "Operation: Payback".

Operation: Payback yesterday targeted Australia's anti-piracy lobby group, the Australian Federation Against Copyright Theft (AFACT).

AFACT executive director Neil Gane claimed that the attack also knocked offline 8,000 other websites, including some operated by the Australian Government.