back to article Anti-piracy lawyers' email database leaked after hack

Hackers have uploaded a leaked database of emails from anti-piracy law firm ACS:Law onto P2P networks and websites. ACS:Law was among a handful of entertainment industry-affiliated organisations to endure denial of service attacks by the denizens of 4Chan last week. A loose-knit collective of members of the notorious message …

COMMENTS

This topic is closed for new posts.
  1. g e
    Grenade

    My I (possibly) be the first just to say...

    BWAHAHAHAHAHAHAHAHAHAHA

    1. Lionel Baden

      so it seems

      Yes you may be the first to say anything on this matter

      1. Andrew Norton
        FAIL

        re: so it seems

        Except for everyone that commented on the story when it broke (and was covered elsewhere) on Friday

        1. Lionel Baden

          im sorry

          All my witty side comments will come with full defining parameters in future!!

          i no further expect people to except that i might just of been talking about the Reg :/

    2. Anonymous Coward
      Megaphone

      What's with

      the freetards and children here? I wish 4Chan children would stay on their forum and not bother the rest of the non-freetard world to doesn't mind paying for stuff.

    3. Dazed and Confused

      And even more to laugh about

      Looks like a £500K fine is heading their way :-) according to the Beeb.

      as you said

      BWAHAHAHAHAHAHAHAHAHAHA

  2. Anonymous Coward
    Heart

    Payback

    It's a real bitch,

  3. John Tserkezis
    Happy

    As the saying goes..

    "Privacy International said on Monday that it plans to sue ACS:Law for violating the privacy of internet users over the security breach"

    Those who live by the sword, die by the sword.

    Gotta love it!

  4. Matt Hawkins
    Thumb Down

    ICO - Toothless not even ruthless.

    I wouldn't bother with the Information Commissioner's Office if I was them.

    By their own admission the Information Commissioner's Office doesn't do anything other than help the offender not make the same mistake in the future.

    They do not prosecute. Even if the law has been broken.

    They are toothless and should be on the list of useless Government organisations to be scrapped.

    1. Anonymous Coward
      FAIL

      Damned right

      Damned right.. I know for a fact that there a companies that have regular wrist-slaps from the ICO for breaking the law, and that's it. So, they just keep breaking the law..

      The ICO either needs to act or it should be disbanded. At the moment it's just a waste of space.

  5. phil mcracken
    Terminator

    I hear that anonymous is a pretty cool guy...

    doxes copyright lawyers and doesn't afraid of anything.

    1. Trevor_Pott Gold badge

      Judging by the lawsuits flying around...

      ...Anonymous might even get said copyright lawyers vanned.

      1. Anomalous Cowturd
        Pint

        Now now Trevor!

        Was that a hint of ironic glee I detected there?

        Good stuff!

        Still no "Ironic" icon, so have a beer...

  6. Tom_B

    Privacy implications?

    I have to wonder what privacy law says about leaking personal details of people who never wanted you to have them in the first place.

    1. Duke

      what privacy laws?

      Privacy law won't say anything as they don't exist in the UK, either on statutes or in common law. There's the Data Protection Act, which is fairly toothless, Article 8 of the ECHR (covering "protection of private life... and communication") but that would involve an action being taken against the State, so not really helpful, and then there is "breach of confidence" which might work against whoever had set up the website.

      As for people not wanting their details to be there... it doesn't really matter what the people want - the details were there because ACS Law asked a Court to hand over the details and the ISPs didn't bother to fight.

  7. Anonymous Coward
    Happy

    Ahem

    It appears that this is now indeed, a 'big whoop' as Mr. Crossley originally indicated.

  8. Anonymous Coward
    FAIL

    Come on Reg.

    For a website reporting on IT, why have you succumbed to the sensationalism that plagues the 'normal' press on these sorts of matters. There was no hacking of the website at all. All that was required to download the mail was a simple click of a link.

    1. Anonymous Coward
      Anonymous Coward

      Hacking

      The hacking part was in trashing their server in the first place, requiring the subsequent restore from backups. Someone predicted that those doing the restore would be a bit panicked and might forget some precautions during their rush to restore service - and that prediction proved to be accurate.

    2. Anonymous Coward
      Coat

      re "Come on Reg."

      I think commentard is a pretty cool guy. Eh maeks comments, and doesn't understand of anything.

    3. sT0rNG b4R3 duRiD
      FAIL

      In any case...

      WTF is email doing on a webserver anyways?

  9. LinkOfHyrule
    Paris Hilton

    Not good for the alleged "file sharers"

    Not good for those they poor 80 year-olds, who don't even know how to turn a computer on, who are "suspected" of downloading hardcore gay porn is it!

    So I will mark them down for that, but they get top marks for getting hold of the idiot who runs the firms emails and for attracting the attention of privacy groups and hopefully the Information Commissioner!

    Paris, 'cus even she aint this loose lipped!

  10. Anonymous Coward
    Happy

    Interesting Read...

    I know what im doing when i get home tonight, hope there is enough seeds....

    Anon coz :-)

  11. hahnchen
    Thumb Up

    ACS:Law official statement

    "Big whoop. It was only down for a few hours. I have far more concern over the fact of my train turning up 10 minutes late or having to queue for a coffee than them wasting my time with this sort of rubbish." - Andrew Crossley, ACS: Law

    http://www.theregister.co.uk/2010/09/22/acs_4chan/

    I wonder how concerned he is over his coffee queue now.

  12. Anonymous Coward
    Grenade

    so..

    Andrew Crossley was unavailable for comment due to a horrendously long queue at the coffee shop?

  13. Dr. Mouse
    Pirate

    Oh Fantastic!

    "Privacy International said on Monday that it plans to sue ACS:Law for violating the privacy of internet users over the security breach"

    A fantastic twist to the tail (yes, deliberately used the "wrong" spelling).

    1. Anonymous Coward
      Headmaster

      "wrong" spelling?

      While a tale may have a twist in it, the proverbal and correct phrase (and spelling) is "a twist in the tail", so I don't really see what you're getting at?

      1. foxyshadis

        very wrong indeed

        Obviously meant "britch" there, guv. Got to have yur clean security britches!

  14. David Neil
    FAIL

    Serious bother

    It appears they also had forms with peoples credit card numbers on them as well, tut tut

  15. Anonymous Coward
    Anonymous Coward

    Hack?

    What hack?

    The site was flooded with a DDoS which is a nusiance designed to stop people from accessing the website normally, not a hacking attempt. What happened after that was human error on the side of the tech person/people running the website.

    1. Noons
      FAIL

      hack, not crack

      you're confusing the two, go check again...

  16. Duke

    "... leaked after hack."

    Just a quick question, but where was the actual "hack" involved? It seems that there was a DDoS attack (which hardly counts as hacking) and then the files were made available to everyone via the back-up version.

    1. nigel 15

      CPanel backup

      it's just complete user error. the information commissioner should bust their balls. this is not a hack they just posted all this info to their website.

      I'm actually hosted with the same company, also on a shared server, though i guess it's the same for all cpanel.... the only reason for the full backup to be in public_html is if you're too lazy or stupid to move the backup folder from the home directory by FTP and just stick it in there to download via http.

      i have done this myself in the past.

  17. Anonymous Coward
    Go

    I hope...

    ...every one blackmailed by them, who has been breached now sends them a letter.

    Please pay £500 or face court over data protection breaches (and possibly libel if the user was never found to have commited an offence).

    Teach the smug batards a lesson.

  18. Anonymous Coward
    Thumb Up

    Beautiful!

    Previously on El Reg re the recent DDoS attack on ACS:Law:

    'Andrew Crossley, the head of ACS:Law, told The Register the attack was "typical rubbish from pirates". "Big whoop," he added.' '"...I have far more concern over the fact of my train turning up 10 minutes late or having to queue for a coffee than them wasting my time with this sort of rubbish."'

    To quote Nelson Muntz: "HA HA!"

  19. Anonymous Coward
    Pirate

    Boarded and raided

    Now to make the scum walk the plank.

    1. Fatman

      RE: Boarded and Raided

      Quote:

      `Now to make the scum walk the plank.`

      NO SIR,

      Chain the scum to the deck and scuttle the ship!!!!!

      1. NukEvil

        meh...

        Why waste a perfectly good ship?

  20. NigelS

    Now now el reg lets get the facts right..

    The emails were available publicly because acs law backed up to public_html.. not because the server was "hacked" as your title suggests.

  21. yakitoo
    Pirate

    Oh dear,

    how sad, what a pity, never mind.

  22. Anonymous Coward
    Heart

    4Chan vs ACS:Law 2: This Time Its Personal

    Epic win :D

    posting as Anon out of respect

    down with the scumbags!

  23. nigel 15

    I'm laughing my balls off.

    not comment. just the title.

  24. John Savard

    Climategate

    I think this hack victim will show the climate scientists what sort of prompt and effective legal action they should have taken when their E-mails were illegally accessed by hackers.

    1. Anonymous Coward
      FAIL

      lawl - Who are they going to sue?

      n/t

  25. oldredlion
    Happy

    And another thing...

    <Terry Thomas>

    Hard luck old man

    </Terry Thomas>

    1. Anonymous Coward
      Happy

      I think you'll find that's

      "Oh I say, hard cheese old man!"

  26. yeahyeahno
    WTF?

    Erm hacked?

    No hacking involved, ACS:Law put the backup on their webserver, and then exposed the root directory to all visitors...

  27. JaitcH
    WTF?

    Maybe the big-mouthed lawyers partners will ...

    convene a meeting to develope a new communications policy that circumvents provocative statements.

    Guess this loser-lawyer failed the court hearing part of his course on how to induce juries and judges to buy his theory.

  28. Simpson

    Shouldn't it be named,

    Operation: Playback

  29. Anonymous Coward
    Alert

    not a hack in any way shape or form

    Yes, it really has to be stated very loudly that the leak of these emails was nothing to do with any kind of hack in any instance, ACS:Law published a copy of their unencrypted backup file in a public area of a public server.

    This is not a hack and has nothing to do with hacking or cracking in any way

    ACS:Law published their archive

    Many places this story is being told are having trouble keeping the dDOS (which is not a hack in any case) seperate from the leak of the emails

    C'mon get it right, in any event, if these emails had been stolen from a 'secure' are of the site it still wouldn't be a hack, it would be a crack.

    One day, someone somewhere in the media will understand these differences, though I'll not hold my breath

    1. The Other Steve
      Alien

      Ah, how sweet.

      "C'mon get it right, in any event, if these emails had been stolen from a 'secure' are of the site it still wouldn't be a hack, it would be a crack."

      Meh, you coulda been a contender, up until that bit

      Hack, crack, schmack. Get over it already. "DarkNerd" ? Snark. What is this 1982 ?

      For the pedantic record though, the DDoS attack appears to have mostly been carried out by volunteers using a point and shoot DDoS toy with the rather racy and exciting monika "Low Orbit Ion Cannon" (LOIC), which amongst it's many features offers the user the ability to slave their running instance to a controlling IRC chan in order to become part of a voluntary botnet.

      Amusingly, this is apparently known as "Hive mind mode", or some such. Gotta love those skiddies.

      1. Anonymous Coward
        Anonymous Coward

        errmm..

        you seem to have commented on the wrong story, you need this one:

        http://www.theregister.co.uk/2010/09/22/acs_4chan/

        The DDoS is nothing to do with an unencrypted backup of emails being placed into a public area of a public server for any member of the public to download by clicking on a link

  30. Oliver 7
    Grenade

    Bye bye ACS:Law, we hardly knew ya!

    From reports on the BBC it seems more than 5,000 Sky subscribers have had their details leaked in unencrypted form.

    ACS:Law, live by the sword, die by the sword.

    1. Anonymous Coward
      Grenade

      And approximately 500 BT/Plusnet subscribers.

      nm

  31. Anonymous Coward
    Pirate

    Ha!

    This is brilliant. I despise ACS:Law (I even despise the firm's stupid name) and I am absolutely delighted to see Andrew Crossley being forced to eat his words (how's the coffee now Andy) and to see his name further dragged through the mud.

    How bad does someone have to be that even lawyers are ashamed to be associated with him. Nothing too bad can happen to Andrew Crossley and anyone associated with him.

    Go Anonymous.

    1. Ted Treen
      Pirate

      Seconded.

      Hear, Hear, that man.

  32. Anonymous Coward
    FAIL

    Is it just me, or have ACS:Law blown their foot off

    ...by being forced to limit the damage, Mr Crossley has gifted *anyone* who receives one of his firms extortion notices a perfect defence.

    from http://www.bbc.co.uk/news/technology-11418962

    "All our evidence does is identify an internet connection that has been utilised to share copyright work," he told BBC News when pressed about the BSkyB database.

    "In relation to the individual names, these are just the names and addresses of the account owner and we make no claims that they themselves were sharing the files,"

    Now he *has* to say this. If he were to say anything to the contrary, then he would leave himself wide open to claims of libel from anyone one the list. However, if ACS:Law were to pursue a case as far as court (not that that will ever happen, as they would be scared of losing their gravy train) then any defendant simply needs to quote this, and ask ACS:Law to provide the *further* proof of who *did* share the files.

    Job done.

    1. Anonymous Coward
      Thumb Up

      I shoud also like to know.....

      ........just how much value these IP addresses seen 'in the swarm' have when most bit torrent clients will allow you to send any IP address you like to the servers.

      How can they prove that any one IP address was actually sharing anything and not being spoofed by a skilled and unscrupulous hacker.

      I mean this hacking thing is obviously very difficult and needs a lot of skill. These criminals are everywhere.

      Ha Ha!

      And a lot of free beer for Anonymous.

    2. The Fuzzy Wotnot
      WTF?

      Jesus wept!

      ' "In relation to the individual names, these are just the names and addresses of the account owner and we make no claims that they themselves were sharing the files," he added. '

      So basically this piece of slime has personal records from another company, on that company's customers, for no reason whatsoever? He's scum and so are Sky for letting him keep them, most likely after he asked a mate of a mate for the list! Glad I dumped Sky 3 months ago and went back to Virgin.

      I never download movies, bongo-flicks or normal, if I get a nasty demand, Mr Corssley can go stick his head up the nearest cow's backside!

  33. Tim Jenkins

    Epic ; )

    mmmmmm; backing up email archives to a webserver...

    Can we have a 'What Could Possibly Go Wrong?' icon, please?

    (to be applied when, say, using a torrent to acquire the digital data of a law firm which makes a living by tracking down people who have used a torrent to acquire digital data; WCPGW?)

    1. Oliver 7

      Good idea!

      Perhaps a can of Dr Pepper?

    2. frymaster

      not totally WTF-y (just most)

      I've seen some all-in-one hosting sites that put the maildir directories in a customer's file area, 1 level up (so you'd have 2 dirs, mail/ and httpdocs/)

      if someone did a total backup and then stuck it in the wrong place... they'd still be total idiots, but at least it would explain what the emails were doing on the server in the first place

    3. Anonymous Coward
      Pirate

      Or..

      Or a Guy Fawkes Mask icon please. I guess this is what happens when you piss off Anonymous.

  34. John 48
    FAIL

    How is it?

    Everyone seems obsessed with whether this counts as a hack or just a more general brain fart on behalf of the web site admins, and yet they are not asking the more obvious question; i.e. WTF is any of this information doing on a public web server in the first place?

    1. Anonymous Coward
      Anonymous Coward

      I totally agree

      How the data escaped - was it "hacked" or was it simply "found" isn't really the question here. What on earth was the company doing storing internal documents on the same server that hosts their web site. I hope that the ICO looks into it deeply... not that the ICO ever does much.

      1. Anonymous Coward
        Flame

        okay...

        If you think about it ... *IT'S ENTIRELY THE QUESTION* really isn't it.

        ACS:Law let slip the data from their own doing, there was no reliance on an external party to breach the data

        Comments to this story are divided into people that understand the weight of this and people that don't

    2. Anonymous Coward
      Thumb Up

      Absolutely......

      It's in the title!

      It also shouldn't be on a shared, hosted server as that's what some folks seem to think it is. I haven't checked.

      Lots of things can go wrong and the staff of the hosting company may also have access, depending on how it is set up.

  35. Shades

    Has El Reg noticed...

    ...That the torrent info on Pirate bay references the original story about the ACS:Law ddos attack?

    1. irish donkey
      Pirate

      I seen that

      But the el Reg article seems to down play the significance of this error of judgement.

      I'm sure if this was Google or some other web gaint they would be running this as the top story. But as its to do with Web Piracy. ......... Just asking

      hmmmmm

  36. Anonymous Coward
    Anonymous Coward

    Egg, meet face

    ACS should have been a little slower to mock and claim 'no damage' from the recent attacks. If the ICO fancies rebutting the "toothless waste of space" tag by exercising his shiny new powers, this breach would be the one to do it with.

    Couldn't have happened to a more appalling business.

  37. rcdicky
    FAIL

    OK Guys...

    Think it's been established it wasn't a hack. Now stop trying to show off and just enjoy the story for what it is :P

    Those guys look like utter lemons :D

    1. Noons
      Thumb Down

      h ~= cr

      It looks like there's lots of people here who don't remember the difference between hacking and cracking. I thought Reg readers would know better. Double fail...

      1. Ross 7

        Hate that I have to do this but..

        Jesus... Language changes! Hacking *is* the correct term for exploiting security deficiencies because that's how language has changed to define it.

        If you don't believe me feel free to walk up to a bunch of delirious football fans post-match and exclaim how gay you think they look....

    2. Anonymous Coward
      FAIL

      "Think it's been established it wasn't a hack."

      But Radio 1's Newsbeat said it WAS a hack - so it MUST be true. And they never mislead anyone...

      Also, let's not forget that ACS is the victim here.

      /sarcasm off.

  38. Stone Fox
    Thumb Up

    for teh lulz!

    Anyone notice ACS laws site is down today? (still / again)

    1. Haku

      Strange way to run a business

      In a BBC article Mr Crossley said to them "The business has and remains intact and is continuing to trade"

      It strikes me that a company that deals with alleged internet copyright infringement should have a working website...

      The articlealso says the ICO can't put them out of business (boo!) but may fine them £500,000 which is a real reputation damager. I think the leaked emailes provided the coffin and the fine may just be enough for the nails in the lid.

  39. Michael 28
    Linux

    Bet they use windoze too!!!

    ...so if you ARE d/l ing the torrent, better get it virus-checked!!!

  40. Anonymous Coward
    Go

    ICO is talking £500,000 fine

    somehow I doubt it'll come to that, but it would be amusing.

    1. Noons

      big whoop!

      where's the egg on face icon when you need it?...

  41. Anonymous Coward
    Anonymous Coward

    @Me

    Q: "How soon do you think it will be before the contents of those investigations become public knowledge?"

    A: About 48 hours.

  42. Anonymous Coward
    Stop

    Plusnet customers too

    PN are keeping quiet on it but several hundred PN user names and home addresses were in the files that are being circulated .

  43. Riscyrich
    FAIL

    Wonder if ACS wants some ICT support?

    More than likely sys admin has had a visit from the Spanish Archer --> El Bow

    The RAR file from the torrent has about >40 trojan's in - downloader beware and warmup the Linux distro ;-)

  44. dephormation.org.uk
    Headmaster

    Recommended reading for BT/Plusnet Directors

    Bruce Schneier: 'E-mail Security: How to Keep Your Electronic Messages Private'.

    Schneier is also a current director of BT Counterpane, which is rather ironic (again).

  45. Ted Treen
    Pirate

    I really don't give a stuff about...

    ...the techie details.

    I COULD give a stuff about ACS:Law being hammered, fined, embarrassed, squirming etc. etc.

    Haven't laughed so much since Granny caught her tit in the mangle...

  46. Andrew the Invertebrate

    Now only if .....

    they'd make it half a million per breach. So that's the original 5000 Sky customers, plus the 8000 on the second list and the 500 BT customers.

    That'd be £6,750,000,000 please.

    It might not fill the black hole of debt in the economy, but it would let Lewis have his two carriers with electric catapults along with enough F-18's to blot out the sun.

  47. mmm mmm

    ACS

    http://www.bbc.co.uk/news/technology-11418970

  48. IPatentedItSoIOwnIt
    Pirate

    Most interesting thing I have read on the subject is...

    TalkTalk and Virgin challenge the ACS court orders and so their customers aren't being hunted down by ACS.

  49. heyrick Silver badge
    Grenade

    Hang on, can't we angle for *intent*?

    Reading the comments, it looks as if the server was not actually hacked, but some dummy dumped the file into public_html where it was then visible to the world at large.

    Given ACS:Law has something of a history of inventing truths, would it not be viable to suggest that *NO* hack actually took place, and that by placing said file into public_html, it was purposefully *published* to the public domain?

    PS: Hasta la vista, baby...

    1. Ross 7

      Re: intent

      Even better news (unless you're Andrew Crossley) - from the DPA :

      55A (1)The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—

      (a)there has been a serious contravention of section 4(4) by the data controller,

      (b)the contravention was of a kind likely to cause substantial damage or substantial distress, and

      (c)subsection (2) or (3) applies.

      (2)This subsection applies if the contravention was deliberate.

      (3)This subsection applies if the data controller—

      (a)knew or ought to have known —

      (i)that there was a risk that the contravention would occur, and

      (ii)that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

      (b)failed to take reasonable steps to prevent the contravention.

      It's enough to show that they ought to have known, and failed to take reasonable precautions.

      As to contravention, Principle 7 (Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data) seems fairly straightforward to show.

      Given that the statute uses the term contraventions it would appear that it falls under administrative law, making the standard of proof "on the balance of probabilities" (i.e. 51%). Hardly difficult in the circumstances.

      Whilst I don't have any sympathy for the folk being badgered by ACS as far as the badgering goes, I fully inderstand their distress at the (prima facie) illegal sharing of their personal data. Hopefully the ICO will finally grow some bal...err hit puberty and do the job Parliament gave them. I don;t see a £500k charge, but anything under 6 figures would seem absurd.

      1. Anonymous Coward
        FAIL

        encryption

        the court orders require BT etc to supply the data in encrypted form on CD or other media, presumably to minimise chance of loss, ... then this bunch of clowns go emailing the decrypted pain text about too and from between gmail and shared-server-hosted email accounts for gods sake... Why the hell didn't they at least have an in-house mail server for this sort of thing?

  50. Anonymous Coward
    Pint

    The Germans have a word for it ...

    shadenfreude

  51. Armus Squelprom
    Happy

    This is just soooooo funny

    Go scriptkiddies, blast your way to freedom with the LOIC!

  52. Anonymous John

    What happens now?

    Will they try and track down the people who file-shared the leaked documents, threaten them, then lose their details too?

    Where's the ever-decreasing circles icon?

  53. Sam Therapy
    FAIL

    Not everyone targeted by Crossley's clowns are freetards

    There are numerous instances of innocent people being wrongfully accused by ACS:Law, who have been frightened into paying up for something they didn't do.

    Regardless of whether you take the moral high ground on piracy, Crossley's scattergun approach and bullying tactics have earned him all the trouble he's now suffering.

  54. Anonymous Coward
    Go

    Direct debits

    There's a nice Thunderbird Portable-included version floating about too. Makes it easy to browse :-)

    Among the information included is the bank details for ACS Law client account ...Now we all know there is absolutely no danger of anybody misusing them to, say, make charitable donations..

    1. Scorchio!!

      Thank you for the reminder

      I download most of my portable apps from portableapps.com

      http://portableapps.com/apps/internet/thunderbird_portable

  55. fran 2

    sky users more likely to be porno pirates?

    According to Sky

    Sky Broadband, part of Rupert Murdoch's pay-TV group BSkyB, said it believed the leaked data included the names and addresses of about 4,000 Sky customers

  56. Anonymous Coward
    Alert

    Its not just Sky, BT too

    There are details of around 500 BT/Plusnet subscribers included, some 140 linked to allegations of hard core pron downloads (the rest music freetarding).

  57. Anonymous Coward
    Anonymous Coward

    I wonder...

    ...if Deborah Prince, head of Which? Legal, knows that Andrew Crossley thinks she's a "total idiot"?

    Hey Andrew, ever heard of "Hell hath no fury like a woman scorned"? Now the queue for coffee IS the least of your worries!

This topic is closed for new posts.

Other stories you might like