back to article ACS:Law's mocking of 4chan could cost it £500k

Off-the-cuff bravado aimed at internet pranksters has led to what must already rank as one of the worst ever data leaks, by the anti-filesharing solicitors ACS:Law. The personal details of thousands of ISP customers accused of unlawfully sharing pornography, as well as video games, are now freely available online. The …


This topic is closed for new posts.
  1. Huey

    Tis better

    No hack involved blunders all round.

    Nice and brief El Reg!

    It must go into the books somewhere I'd suggest somewhere near JS after all 4chan couldn't hit an elephant at that dist.....

  2. Anonymous Coward
    Anonymous Coward


    I presume that not only can the Data protection Dude do them for £500k, there will be a lot of rather pissed off downloaders who can sue them as well.

    Oh whoa. What a shame for them.

  3. Anonymous Coward
    Thumb Up

    New icon please

    Can we have a Guy Fawkes Mask icon now, please?




      +1 cowbell as well please.

    2. Stone Fox


      Given the amount of /b/tards /i/nsurgents and assorted anons I see posting here it'd make a lot of people happy.

      And no, I didn't break rules 1 & 2 saying that!

  4. IglooDude

    Stupidity or malice?

    While the fellow in charge of ACS:Law was clearly unaware of the temperature of the pot he was stirring with his comments, I am surprised that a website restoration would go THAT badly awry, and another fairly obvious explanation would be that a particularly adept 4chan type got into their network and surreptitiously "adjusted" ACS:Law's website with the private data. Certainly if I were ACS:Law that'd be my defense, anyway.

    1. Loyal Commenter Silver badge

      If that were the case,

      how did the hypothetical 4chaner get hold of that data, if it wasn't exposed through their website, without adequate protection?

      1. IglooDude

        Stupidity rules

        Perhaps I'm being misinterpreted. I'm agreeing that their data was clearly inadequately protected, and that they do deserve whatever legal punishment they face. What I'm wondering was who specifically exposed the data to the website? A stupid ACS:Law person, or a malicious 4chaner?

        1. Bilgepipe
          Black Helicopters


          Or a malicious ACS:Law person....?

          1. Paul Harrap

            missing option

            Or a stupid 4channer?

            (oh. bugger. don't hack me bro)

        2. Anonymous Coward

          for the idiots who can't see what's going to try to happen next..

          Not going to spell it out entirely but, use your imagination...

          Speaking to BBC News, Mr Crossley said there were "legal issues" surrounding the leak.

          wriggle wriggle wriggle

          1. Alex 0.1

            Nothing so complex

            You guys think way to technically for this.

            ACS dont have their own servers or anything of the sort, their account was previously hosted on a shared cPanel hosting account at Dataflame (probably costing them about a fiver a month) - When Dataflame cancelled their account following the DDoS they will have provided to ACS a backup of the account (cPanel will generate restorable account backups, including all email content) which ACS will have then uploaded to their new account with whoever their new shared cPanel host is, to then restore the backup into a working account.

            Stupidity, however, meant that instead of uploading the backup to the account's root to be restored from there (which is not publicly accessible) they uploaded it to the account's public_html folder (which is).

      2. PerfectBlue

        Need you ask

        While the media likes to make out that 4Chan is just a bunch of teenagers playing silly pranks, some of its members are extremely skilled hackers. If they put their heads together there's probably enough hacking talent on 4Chan to get into just about any system, let alone into the off the shelf website commissioned by that particular company.

        The odds are that their security procedure was to turn automatic updates on and then leave to get on with things itself.

        They probably just installed a web server package onto a second sever and plugged that into the net to cope with the extra demand caused by the DDOS, not realizing that the second server had sensitive information on it.

    2. Anonymous Coward
      Anonymous Coward

      Pretty easy

      "I am surprised that a website restoration would go THAT badly awry"

      Upload last backup to web directory. Restore.

      Whoops, I didn't kill the webserver first.

      I would say that such processes should be automated but that brings its own possibilities...

    3. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Court Orders

    Some mention on IRC that ACS paid TalkTalk £20 per customer and Sky a sum of £7899.76, maybe court orders not in place for all cases? Could just be rumour though.

    1. Annihilator


      You can get a court order asking for the details to be released, but you have to pay reasonable administrative costs for the efforts entailed in releasing such details. Much like the £10 cover charge to get your own details from a company under the DPA.

  6. Anonymous Coward

    To quote a comment in a previous Reg article about this ....


  7. ZootCadillac


    Thank you Chris for being the first of the higher profile news outlets to come out and say it. There was no hack involved. This was sheer incompetence. I've spent 24 hours trying to get other 'hacks' to correct their reporting of this and have finally given up now that the consensus appears to be that "4Chan hacked the site and stole the data"

    It's was not even 4Chan which is just a means these people use to co-ordinate information.

    1. IglooDude


      So how do you know no hack was involved? If they were stupid enough to have done such a crap restore job in the first place, they were stupid enough to have crap security allowing a hack of that sort. All we're agreed upon, it seems, is that they were stupid.

      1. Anonymous Coward

        ok, enough is enough

        IglooDude and some others (The Other Steve), you're really having lots of problems understanding this aren't you...

    2. Shakje


      you get that wound up about this sort of thing that you go around emailing journos to get them to change their articles? Seriously?

    3. Anonymous Coward

      4chan gets WAY too much credit and news time these days

      True. And 4chan as an entity gets way too much credit for being behind stuff like this. It may be that one member of 4chan has some noobish "hacking" skills and manages to pull off a stunt and post the results to 4chan. However, in the press the whole community gets credit as some kind of elite hacking group rather than what it really is: a loose-knit community of mostly socially maladjusted teenage misfits looking for validation among other equally socially maladjusted teenage misfits, and not forgetting free pr0n.

      It's amazing what a group of unremarkable people with unremarkable ideas can achieve simply when there is enough of them working together; however, even the few decent memes originating from 4chan are the result of one or two half bright individuals whose work just gets repeated ad infinitum by the millions of dullards that hang out on the boards until people can't help but take notice. OK so they invented LOLcats (for which I do have some appreciation) but you'd think they invented the Internet the way some people go on about them!

      At least some 4chan members are self-aware enough to recognise and acknowledge they are the scum of the Internet and prefer it that way, rather than pretending they are its saviours.

      If any of the news reporters spent more than 5 minutes on this site and giving it some independent scrutiny rather than slavishly following whatever they think will get them page views and Internet credibility they'd realise this and stop giving this website credibility and news time it doesn't deserve.

  8. Anonymous Coward
    Anonymous Coward

    "dont mess with 4chan", eh?

    Because even if you dont mess with 4chan, they might just shit on you anyway.

    1. Anonymous Coward
      Thumb Up

      It's like a hornet's nest not to whack it with a stick, but that's no guarantee it won't sting you.

      For some reason your comment made me think of the Epilepsy Foundation forum raid... there's not always a noble intent to the actions of the "Internet Hate Machine"

  9. Dazed and Confused
    Gates Horns

    Not only ACS can be sued

    But it looks like all of the BT customers could also sue them too.

    Might make for any court cases brought by ACS interest as well. The leaking of the data could well be considered to prejudice a fair trial, so the judge might well just chose to throw out all the cases.

    Then there would be the reliability of the data, if the data can not even be handled in a legal way by the ISP who is to say that it was acquired is a way which includes sufficient safe guards to be used as evidence in a court case. Without strong encryption and signing there could be no proof that the data hasn't been modified. So again this would make a trial difficult.

    Then of course ACS' clients might feel that that have screwed up any chance of their seeking legal redress and they might feel that they should sue ACS for professional incompetence. Hmmm the list goes on.

    Maybe he should be glad of the long queues at the coffee shop. The legal profession are after him, the ICO are after him, his victims will probably be after him and now his clients. He might well need a job in a coffee shop when all this is said and done.

    Only all the people I come across in coffee shops are better than that.

    1. Scorchio!!


      I found myself wondering, does he eat croissants with his coffee? Only this could explain why he was away for long enough to be, um, p\/\/|\|d, j00 kn0\/\/ \/\/hat I mean? ;-)

      1. Anonymous Coward
        Anonymous Coward


        1 D0nt kn0w wHat U Mean.

        Speak English or be quiet.

        1. Scorchio!!


          I th||\|k j00 me|\|t j00 |\| you. Pip, pip old boi.

  10. mmm mmm

    This story

    Just gets better.

  11. dave 46

    Accidents happen

    And I couldn't honestly be that hard on the techies who bungled putting the site back up while under pressure.

    But what idiots thought leaving documents like that unprotected on the website was a good idea? The only thing protecting them was people didn't know there were there. No doubt some idiot solicitor demanded he be able to access them anywhere, passwords were too hard to remember and it had to be NOW.

    All works fine until you rebuild your Apache and have the wrong default document configured.

    1. Anonymous Coward
      Anonymous Coward


      You are absolutely correct

      “Ali, just one more thing concerning the LoC generation, would you kindly remove password protection on the PDFs, as requested by the fufilment centre during the last run of data. Thanks.”

      By all means, remove passwd protection on the PDF’s. That way, if the backup ends up in the webroot someday, the world will be able to see everything ))

  12. Anonymous Coward

    Hoist by his own petard, perhaps?

    Couldn't have happened to a nicer man...

    Under investigation by the SRA.

    Facing possible fines of £500K.

    Can we possibly hope that these things come in threes, and these scumbags face criminal proceedings of some sort?

  13. irish donkey
    Thumb Up

    So now we can look into the mirky pool

    that is ACS:LAW and their relationship with our ISP's and the courts according some sources.

    I'll bet a few ISP are wringing their hands as well. It will be interesting to see when everything has been read and analysed who really is fighting our corner and who is stiffing us.

    1. Scorchio!!


      That is where the rubber hits the road, and it may be a major factor in determining which ISPs come out of the recession with their user base intact. BT already had Phorm.


    Bruce Schneier wrote the book on email encryption

    So why didn't BT read it?

    If they had encrypted the data sent to ACS:Law, of simply used a password protected link to an SSL site, sensitive details of their customers downloadng habits would not be all over the internet.

    It is not just ACS:Law who should be paying fines of £500,000.

    Ian Livingston should be digging deep into his pockets too. Their incompetence is inexcusable.

    1. Anonymous Coward
      Anonymous Coward

      Maybe TLS?

      I haven't read Bruce's book. Despite having implemented some email encryption solutions... But I expect BT could argue that they transmitted the document in question over an encrypted TLS channel and that further encryption wasn't required.

      Many email servers now use TLS first and fall back on plain text.

      Whether a company as large as BT has sufficient log history to prove that is debatable.

      Whether the connection was forced to be TLS (if indeed it was) or if it was just "luck" is also debatable.

      Whether anyone has ever checked certs from both ends is unlikely.

    2. copsewood

      unsupported assumption

      The fact that ACS Law stored and published highly sensitive data unencrypted on their own web server doesn't imply or mean that this data wasn't sent to them securely by ISPs who provided this data, presumably because it would have been illegal not to do so because a court warrant was obtained.

  15. Chris Hatfield

    ACS:Law : "Criminal" attack on website

    The "criminal" attack on their website is different to their criminal breach of Data Protection Laws by ACS:Law. Thank you, El Reg, for making this so clear.

    Andrew Crossley knows this, I'm sure, but is trying to spin for PR (in my humble opinion).

    It was serendipity on that part of Anons, from all corners of the net, not just 4chan but anti-anti-piracy activists and good people who never/rarely to go 4chan. Never underestimate the creativity or a bored bunch of teens. has always been the main hub, but as it's very decentralised, there are lots of little hubs.

    I would remind people with weak stomachs not to peruse the 4chan boards.

    1. Anonymous Coward
      Anonymous Coward

      4chan boards

      Everyone talks about 4chan as if it only has one board, it has plenty of boards that are completly safe for work. It even has a bunch of text only boards. Unless they got rid of all the work safe boards in the last four or so years.

      1. sT0rNG b4R3 duRiD


        Well, I would say it depends.

        As you rightly say not all content on 4Chan is sufficiently disturbing to be considered NSFW...

        BUT... let me just put it this way, would you want your superiors noting you had visited a place like 4Chan?

    2. PerfectBlue

      Never underestimate the creativity or a bored bunch of teens?

      Are you sure that they're teens? Not middle aged men pretending to be teens?

      There appear to be more teens on the web than there are teens in the world. Half of them are little kids pretending to be older, and the other half a adults pretending to be younger. There's probably a couple of real teens there. Just by pure chance. They are the ones who are sitting around looking confused while everybody around them talks about Hannah Montanna and The Who.

      1. JimC

        >Middle Aged men pretending to be teens

        There seems to be something about supposed anonymity on the net which reduces the mental age and social conscience of many males to be somewhere between 13 and 15.

      2. Anonymous Coward
        Anonymous Coward


        There's a lot of us teens online because we have a shitload of free time as compared to adults doing say a typical 9-5, and we've grown up with technology so are for the most part familiar with it's basic workings (unlike some people, I'm not going to go so far as to say understand it...)

  16. Anonymous Coward
    Thumb Down

    Only £500K?

    I find it rather odd that this only "could" cost them up to £500K. A breach like this could actually bring some real harm to those named, yet the firm responsible has only the relatively toothless ICO to answer to, while filesharers are pursued for many thousands per song.

    I'm not arguing that filesharing is right or wrong, but it's a nice demonstration of the the complete lack of a sane perspective on things.

    If a company destroys the privacy of thousands, they might get a (very) tiny dent in their end of year bottom line, but an individual who torrents an album will be dragged through the courts for years or bullied into payment.

    1. Anonymous Coward

      +Civil Damages

      I would assume (but IANAL) that this is a penalty that is imposed in addition to damages claimed in any civil cases brought by people harmed by the disclosure. In this instance I would imagine a couple of ambulance chaser lawfirms have downloaded the lists and are currently approaching potential clients in a class action case.

    2. heyrick Silver badge

      Only £500K?

      True. How about, given the nature of the data, 500K per infraction? Now, um... how many names were there? :-)

  17. Tigra 07


    I'll bet ACS is really regretting what they've been up to now with a possible £500k fine and possible other lawsuits from everyone at risk now =]

    This has really made my day, they deserved this 100%

  18. PsychicMonkey
    Thumb Up

    I've heard

    his train was late too. Poor fellow.

    1. CASIOMS-8V

      I also heard

      that the coffee was cold

  19. Oliver 7

    Epic Fail!

    If this is true, both ACS and BT can be fined by the ICO and, presumably, sued by any of those who encounter any loss as a result of this leak. Could they be sued anyway, even if there is no attributable loss?

    Sky claim that the information they divulged was appropriately encrypted when it was passed to ACS so they may be in the clear. The situation with PlusNet is not clear yet AFAIK.

    Crossley certainly pissed on his chips though, what a prize plonker he looks now!

  20. Bilgepipe

    Heh heh

    Payback is indeed a bitch. As long as my details weren't exposed, natch.

  21. Anonymous Coward

    LIBEL too

    I really hope that somebody (e.g. the partner of his ex-wife) sues for libel too - as his comments were published this is a distinct possibility.

    PLEASE, let him be taken to the cleaners from a business AND personal perspective.

  22. phil mcracken

    Andrew Crossley, you dun goofed.

    (remainder of comment removed by cyber police)

    1. Shakje

      A title is required

      Consequences will never be the same.

  23. corestore

    I'm sorry for...

    ...the feckless tech(s) who exposed the backup. Mr. Crossley sounds like he could be a nasty piece of work, and now he's been made a laughing stock; this is not a good combination, and bodes very ill for some unfortunate individual(s).

    1. Elmer Phud

      take the rough with the smooth

      If you work for a bunch of nasty fuckwits then you are happy to take the money. No peices of eight from the pirates - just thirty peices of silver from ACS

      1. TimeMaster T

        Uh ...

        You do know that a "pieces of eight" are in fact silver silver coins right?

        They are called "pieces of eight" because they were scored so they could be broken into eight pie shaped bits. Useful for transaction costing less than a full coin, like getting a shave and hair cut (which used to only cost two bits in some places).

        1. LaeMing

          Polly says:

          Pieces of 10.

          Pieces of 10.

          Arkk. Gone Metric.

          1. Sir Runcible Spoon


            Nerdy Polly says

            "Pieces of 128"

            Arrk, gone binary.

      2. Anonymous Coward

        TechMonkey for a WebHoster

        Who says that the TechMonkey that actually made the mistake is on the payroll for ACS:Law? I would fully expect ACS:Law to go for personal negligance claims against the staff of their new web hosting outfit.

  24. corestore

    On another note...

    ... the information commissioner has said that he can't close them down but he can fine them 500k - as has been reported.

    Excuse me, don't you need some kind of license from the IC to handle sensitive commercial data like this? No license, no more ACS Law...

    1. Jonathan Richards 1

      No licence required

      No, you don't need some sort of licence. If you're processing personal data you have to have a registration under the Data Protection Act, and you have to say for what purpose(s) you are processing data and from what classes of data subject. The notification process is explained here:

      For all the people suggesting that ACS:Law can be sued by the data subjects who's information has been compromised:- I don't think the Data Protection Act gives them the ability to sue, unless they can demonstrate actual harm. And they don't have a professional relationship with the company, so malpractice suits are out. IANAL, of course. These are the Interwebz. Nobody is a lawyer here.

      1. Andrew Macrobie

        I think you're right re DPA

        But where there's suspiscion of downloading pornography etc., there may be a case for defamation.

      2. nsld

        plenty of grounds

        for a lawsuit relating to defamation given the data shows which porn films have allegedly been downloaded.

        Publishing allegations as facts with no supporting evidence is clearly defamatory.

      3. Anonymous Coward

        IANAL but ...

        there's the law of tort which can make 3rd parties party to a contract in certain circumstances.

        For example, even though none of the people on the leaked list had any contract with ACS:Law, they certainly had a right to expect their data be held in confidence. The fact that ACS:Law managed to fail every basic element of data security and caused those details to become public certainly places ACS:Law in a tricky position legally. And they needn't sue under the DPA, although it's breaching would be taken into account - they could just sue for libel.

        I now understand that the database also contained comments by ACS:Law against certain individuals. Since I have no reason to believe ACS:Law are any better than any other company, I can guarantee that a proportion of those comments will be uncomplimentary, and a proportion of those will be libellous.

        Unfortunately for ACS:Law, the glare of publicity on this case has meant that some of these people will find out. And they will sue.

  25. Anonymous Coward

    the heat is on ...

    now even the BBC has moved the story to front page, along with details of how to request what data is held, and the procedure to go through for ensuring it is accurate.

    Andrew Crossley *is* Gerald Ratner ....

  26. Anonymous Coward
    Anonymous Coward


    Thats all.

  27. Destroy All Monsters Silver badge

    I still don't know

    ...whether it's Quad-Chan or Four-Chan. Or maybe Yon-Chan?

  28. The Indomitable Gall


    I'm reminded of a certain XKCD strip:

    1. Sir Runcible Spoon


      Mind you, I can't see ACS:Law being that creative, but the vampire bit fits :)

  29. blackworx

    For teh lulz... QED

    It is the first time I've actually LOL'd at a newspaper headline in YEARS.

    Oh god I just love this! Global popcorn supply now at crisis levels.

  30. Anonymous Coward

    I absolutely love it

    This is my favourite Reg story of the last year. It just gets better and better.

    It's funny that Andrew Crossley, who is dealing with activity on the internet is so clueless that he thought taunting Anonymous was a good idea. Presumably he didn't know who they are but he probably does now.

    I have a huge smile on my face as I type this (hence the icon) - Crossley, you are a prize plonker and it looks like you will finally get what you so richly deserve.

    1. Sir Runcible Spoon


      "he thought taunting Anonymous was a good idea. Presumably he didn't know who they are but he probably does now."

      You owe me a keyboard :D

      So, who is anonymous then? Or should I be asking Andrew :P

  31. Anonymous Coward

    I think a more appropriate name for this company ...

    is ARS:Law

  32. Anonymous Coward

    Make an information release request.. Its your legal right...

    Something along the lines of

    'Dear Sir, follow press announcement of your illegal release of personal data, please fullfil my information request....' for a template.

    I'm not even a subscriber to any of the ISPs that have been mentioned. But then, I've no way of knowing what other providers they may have been incontact with.

    I believe if they DONT answer, they'd be up for trouble from the information commissioner, again.

    This one could run and run.

    1. Anonymous Coward
      Anonymous Coward

      Postal DDos?


      Let's explore the idea a bit more....

      "How can we deal with this boss, we need to answer all these within 40 days?"

      Options appear to be:

      1. Just fail and take the punishment.

      "It's a thought, the ICO's a toothless fellow anyway".

      2. Try and take a short cut to get all the replies out in time:

      "Just fire back a boilerplate response to them all that we hold no details, they're all just troublemakers anyway". - All well and good until someone slips through who they're chasing, there's at least one name on the list that appears to have a typo so a straight forward search won't match him. Of course they could make this an acceptable route by deleting all their data, but that certainly ruins this business (of which it seems that this file sharing scam is the vast majority), or they also risk giving a cast iron escape route from their sham to anyone who's on one of their lists.

      "Ignore the ones that aren't recorded delivery, if they can't be bothered to pay for that, they'll have forgotten about this in 40 days and be on their next hobby horse". - Well yes, apart from say me, who will have a certificate of posting, and has already set a reminder 40 days hence.

      As a parting comment, I thought that Hovis had a loaf named after Crossley, but on closer inspection it said "thick cut".

      1. LinkOfHyrule
        Thumb Up


        Upvoted for the Hovis gag! I'm nicking that! You better send me a letter asking for £500 cos I stole your joke!!!!

      2. Mark 65

        @AC 20:43

        +1 for the bread joke. Now where's my screen cleaner?

      3. Sir Runcible Spoon


        ""thick cut".

        Why does that look like a typo :)

  33. Andrew 16

    Could the ICO not charge them...

    ... £500k for each item exposed (I cant find the exact number of people / IP's exposed but I think it was over 5,000).

    So that would be a £2.5bn fine then?.

    1. 46Bit

      Oh yeah

      It might as well be that much, really. I doubt it works that way (likely 500k max overall) but can you imagine the campaigns for lawsuits that'll come out of this? You'll have every pirate calling a lawyer.

  34. NigelS


    Am i the only one wondering why such a company was using a Cpanel Server hosted outside their company for their internal emails? Any competent company would have a local mail server in house for internal email, from the emails ive seen ACS had 1 server for all, web based, and running cpanel .. incompetence at the highest level.

    1. Anonymous Coward


      What if your office has next to no physical security? Or there is no central office? It does happen!

      Having a hosted solution then makes far more sense in some cases.

      There's many reasons for not having local servers. Space is always another factor.

      Hopefully that shouldn't mean your email is open to the world....

      1. Alan Lewis 1

        Small company

        Possibly because ACS is a very small firm, and 'outsourced' almost everything. It has one solicitor (Andrew); it rents serviced office space (is there any other option in London?!); apparently uses a contractor for IT support on an ad-hoc basis; and makes extensive use of paralegals (par for the course) and bought in temp staff to cope with additional workload. Incidentally, a majority of the staff appear to work from home - so, UK managers, see, it can be done ;-)

        But soooooo glad this happened...

    2. Anonymous Coward
      Anonymous Coward

      In fairness...

      Any competent company would not have poked 4chan with an eStick the way Crossley did.

    3. Anonymous Coward
      Anonymous Coward

      Probably because

      it is unlikely any competent IT bods would advise such a company ;)

    4. David Beck

      Company Location Problem

      It's hard to fit the mail server in the back of a 5 Series BMW.

    5. Fatman

      RE: .. incompetence at the highest level.

      No sir,

      CHEAPNESS at the highest level!!!!

      ^---- Because I hope this really blows up in their faces.

  35. Steen Hive
    Thumb Up

    And I'm sure it's not over.

    I nearly, but not quite, feel sorry for the wretch.

    His email, banking and the rest of his online life are going to be fair game for quite some time to come.

    Wonder if he'll manage to eat all those pizzas?

    1. LinkOfHyrule


      He probably will eat all those pizzas, he looks like he eats about thirty a day as it is, the fatty!

      Can you sue someone for stating the obvious? Guess someone who isint me will get a letter in the post claiming you can!

  36. liquidphantom

    Not enough...

    Shame it's not 500k per individual breach.

    I think he better see if he can get the money back on that Jeep he just bought.

    I wonder if could honestly say he's never downloaded anything that he hasn't paid for.

  37. ArmanX

    Now, if only...

    If only various other high-profile anti-pirating elite would get caught out like this; then my day would be made. RIAA offices found stealing MP3s, MPAA filching movies, that sort of thing?

  38. Anonymous Coward

    Now lets wait for the next episode

    Those that hacked, and those that are sharing this list feel the might of the law....

    It's clear 4Chan is just basically bored freetard children that get upset at the thought of paying for things.

    1. Anonymous Coward


      Those that have downloaded or shared this data are also breaking the same laws and thus also liable for a upto 500k fine?

      I think there might be some children that just shat themselves, discovering that...

      Payback Is a Bitch round 2....

  39. Gary F


    I feel sorry for the people named publically as file sharers but hopefully they will have the last laugh if ACS is given a hefty fine. At least their reputation is somewhat dirtier than it was last week.

  40. Alex C

    Have to admit to a certain amount of schadenfreude

    Previously I'd assumed that 4chan etc were a bunch of script kiddies, who generally amused themselves baiting Scientologists along with their less public-spirited hobbies. Actually the lack of any hacking on their part in this (other than the DDoS attack) can't deny them a glorious victory over a man whose smugness and arrogance has lead him to have some very difficult questions asked of him (what was he doing with that info in the first pace?) and hopefully some respectable fines and a class action suit.

    It seems lawyers have little or no imagination. If only they'd thought to fake a file with random names and addresses, and take a leaf from James May by leaving a message through the first letter of each line explaining how it was a trap to display the incompetence of the script kiddie community. Leave that up to be found & distributed joyously by the kiddies, they might have been able to put a serious dent in their attackers' credibility.

    As it was they'd have gotten away with it too, if it hadn't been for those meddling kids.

    I'll get me coat.

    1. Frumious Bandersnatch

      Who the hell is James May?

      Marble cake, also the game.

  41. Anonymous Coward

    " Crossley brags about his financial status:"

    " Spent much of the weekend looking for a new car. Finances are much better so can put £20-30k down. May go for a Lambo or Ferrari. I am so predictable!"

    He can kiss that idea goodbye then, it'll be a succession of stress free waits for the train from now on.


    Payback is a bitch and this time she's brought her sisters.

  42. The BigYin

    Info Comm to issue £500k fine?

    Ha ha ha ha! Funniest thing ever. Just like the FSO, the ICO is all mouth and no trousers. These guys will get a small tap on the wrist and it'll be "lessons learned" all round.

  43. John Savard


    They will get 4chan to also pay a fine of 500,000 pounds as well, since clearly they are at least partially responsible for this data leak.

  44. Anonymous Coward

    A suggestion to those on the leaked list

    How about sending a letter to Ambulance Chasing Shysters:Law threatening legal action but offering to settle out of court for 5000 pounds? They should already be in possession of a template they can use for this letter...

    I wonder how much more amusement this saga is going to provide.

  45. Alexander Vollmer

    A train is no way to salvation

    If you want to travel to a country without extradition treaty, how can you use a train? Aren't all these countries in South America?

  46. Sonny Jim

    The ISP's may get in trouble as well

    If it turns out that they were sending customer information across unencrypted via email. Very interesting stuff, I wonder what it'll do for the Digital Economy Act.

    BTW there's a torrent with a PE version of Thunderbird which makes it trivial (so I'm told) to search through and see how sh*tty this company really is/was.

  47. Anonymous Coward
    Anonymous Coward

    BT/Plusnet are definitely in trouble

    One of their legal team was sending Plusnet customer lists unencrypted via email attachments, surely this makes them liable?

    "Please acknowledge safe receipt and that the data will be held securely" was on one of them, lol

    *cough* Prakash *cough*

    1. Anonymous Coward
      Anonymous Coward


      I would be more worried if they [BT] actually sent a full copy of the UK DWP database to their Indian developers to work on, as opposed to, say, hashing the data before sending it to a non-safe harbour destination.

      That would never happen, oh no.

    2. Anonymous Coward

      Yep, I'll 2nd that

      BT were sending customer details in unencrypted excel files via email. Anonymous for obvious reasons.......

  48. CharlieBoY

    I have to agree

    There should be a Guy Fawkes Mask implemented with the caption being "For the lulz" :D

    Got to love 4chan...

  49. Oliver 7

    Example of the kind of person...

    From one of the many, many emails:

    Fellow Paralegals,

    From now on, if you find a response to a third party letter, do not send a security letter. Instead, please move the letter into the ABANDON HOPE folder in General Paras.

    This is because Andrew and Adam will be drafting a new letter so we can drop a couple of hundred cases over the next couple of weeks, putting pressure on those who we do not drop to settle.

    If you find someone who is blind, one legged and dying, and you think they are not worth pursuing due to the possibility of bad PR, please also put them in there. However, the majority of cases will be continued.

    Enjoy your evening,

    *** ******

    ACS Law Solicitors

  50. Jonathan Richards 1


    Someone who is a better privacy lawyer than me will work out whether the ICO registration for Andrew Jonathan Crossley (Z186195X) actually covers him to have these ISP customer names at all, see

    The purposes notified are Staff Administration; Advertising, Marketing & Public Relations; Accounts & Records; and Legal Services, the last of which defines data subjects as Customers and clients; Complainants, correspondents and enquirers; and Relatives, guardians and associates of the data subject.

    Nowhere AFAICS does the notification cover data subjects who are the targets of legal action; I'd expect to see a notification for the purpose called Administration of Justice, and/or to see "Offenders and suspected Offenders" included in the Legal Services category.

    1. Jonathan Richards 1

      Important addendum

      When I posted that, I'm fairly sure that I added the obligatory "I am not a lawyer" disclaimer, for the good and sufficient reason that I'm not, but maybe I forgot. Anyway, read the ICO notification and make up your own mind.

  51. Stuart Halliday

    I'll just reset my web server settings....

    Tum tee tum...oh dear....have I done something wrong...Oh SHIT....!

    I've seen novices do this before.

    They've either reset their web server software or reinstalled it and made the fundamental mistake of putting private files on it or allowing access to LAN shares which exposed this stupid error.

    Their web master needs to leave their office and never come back....

  52. Stefan 2

    Funny as.

    My very good friend called me a couple of weeks ago. He was more than a little bit distressed at having received a letter from ACS:Law demanding upwards of £400 for his illegal downloading of some porn.

    It was rather cruel perhaps that my immediate reaction was to deep belly laugh down the phone at him, but he's so far followed my advice and ignored the hell out of the letter.

    It will be interesting to see if they go out of business before they get around to sending him a second letter.

    1. Anonymous Coward
      Thumb Down


      "Ignore it" is probably the worst advice that you can give your friend - other than "pay them" of course - despite their activities its still a legal letter from a solicitor (although how long he actually continues to practice is down to the professional body).. is one of several sites giving advice on letters of denial.

  53. Steven Jones

    Proper safeguards

    Sensitive personal data has no place on any server exposed to the Internet in this way, and especially not on a web server, as it's only one remove from being hacked. Such information should be held on a further server hidden behind a firewall and only accessible via a secure network or VPN using strong authentication. Of course this law company is a very small operation which probably lacks the technical resources to implement such a thing, although the hosting company would (I hope) be able to put something appropriate together.

    However, this is going to happen more and more as sensitive personal information becomes available to many smaller companies. The security is only as good as the weakest link.

  54. Anonymous Coward
    Big Brother

    BT internet locum?

    Interested to see in one of the emails that someone from the BTinternet legal section acted as a locum for ACS during (what appears to be) Mr Crossley's absence in July.

    No conflict of interests there.

    Big brother CAN work both ways.

  55. Anonymous Coward
    Anonymous Coward

    offtopic, but just wondering...

    I know this is going off on a tangent, but these thoughts came as a result of seeing this article and the fact they're keeping data on suspected targets.

    If a company such as this one writes to you claiming infringement, are you able to simply respond asking them, as required by the data protection act, to delete all of your data from their database? I'd expect exceptions where it's gone to court, but as I understand it, this bunch of lawyers don't bother with the court bit.

    1. PsychicMonkey
      Big Brother

      as I understand it

      the data protection act doesn't let you have the data deleted, it allows you to view what they hold (for a fee of no more than £10) and have it corrected if wrong, but you can't get it deleted.

  56. John Smith 19 Gold badge
    Thumb Up

    Being part of the recording industries goon squard means you sometimes take some lumps

    Sometimes the "Little people" have big sticks.

    Who knew.

    1. Fatman

      RE: Big Sticks

      With plenty of long nails driven through them.

      Here in the former colonies, one thought comes to mind - that is of a 2x6 with a bunch of 16d nails driven through one end in a nice matrix pattern. Use it as a `wicked` paddle across the buttocks of that tw@t from ACS:Law.

  57. cannon
    Big Brother

    one law for them

    im sure the media industry, or the government whom are stooges for the industry, will get to the Information Commissioner and make sure any fine is minimal as they are "fighting the good fight" and give acs:law a slap on the wrists for breaking the law!

    they will say shit like "lessons need to be learnt" as acs:law & others are allowed to continue their extortion racket..

  58. Anonymous Coward

    ACS == A Complete Shambles?

    Andrew Crossley sets up a business model that one day will require a court to believe that his company understands the Internet and can provide reliable evidence that his clients have been injured by the conduct of people on it. He then goes on to offer proof-positive to the world that they don't.

    This person is a legal "professional" handling personal data. He ought to understand the Data Protection Act. However he demonstrates that he has either no concept of or complete contempt for it.

    IMO it doesn't matter if the information released got out as a result of hacking or not. I don't believe that information should ever have been on a public-facing server in the first place.

    I guess this is the big test of whether or not the DPA protects people. If there was ever a case of a breach of the Data Protection Act that Christopher Graham ought to be able to successfully prosecute then this must be it. Can anyone think of any of the Act's fundamental principles that haven't been broken here? If Mr.Graham doesn't hang ACS high and impose a penalty that is truly meaningful then I can't see any point in DPA or the ICO existing. I hope my lack of faith is proved wrong.

  59. Anonymous Coward

    ICO fine very unlikely.... but PCI could hurt

    ICO are toothless.... they usually just issues slaps on the wrist.

    However, I have heard rumour there may be credit card details in there. And storing those in plaintext is a major breach of PCI-DSS. In which case he could get a bill from Visa / Mastercard for both non-compliance fines AND the fraud costs.

  60. Anonymous Coward



  61. Anonymous Coward

    Good article

    Except it was ebaums that did it.

  62. Sonny Jim

    Asking the boss for printer ink

    They must have been skint:

    To Crossley

    "We're running out of printer ink. May I go ahead and order another one??"

    So, they were making "Nearly a million" but they need to ask Crossley if it's ok to buy ink?

    1. seanj

      A Christmas Carol... 2010

      To: Ebeneezer Scrooge

      From: Bob Cratchett

      Subject: Office termperature.

      Sent: 24/12/1843 20:47


      the office is a little chilly tonight, may I please add another coal to the fire?


      Bob Cratchett


    2. Danny 14


      I work in a reasonably affluent company. But the stationary cupboard has more security than the backup vault.

      1. Loki 1


        How do you think they became affluent in the first place? Many companies have been bankrupt by people stealing pens and pencils! ;-)

  63. David 45

    Good, better, best

    The story evolves to get even better. Let's hope ACS can't survive the storm. Not sure how Crossley can sleep at night.

  64. Anonymous Coward

    ACS Prank Calls Now Online!

    Anon for the lulz

    1. Chris Hatfield

      Soundcloud prank calls

      Tracks have reached their download limit. Unable to download. Or hear.

  65. Captain Thyratron

    That which is more readily explained by stupidity...

    ...needn't be attributed to malice.

  66. Anonymous Coward

    Lawyers to be prosecuted?

    In your dreams.

  67. Skizz

    Fined Up To £500K

    As long as they don't use the standard ISP definition of 'up to'.

  68. Dennis Wilson


    Why was that sort of personal detail not encrypted. Why was that sort of personal detail on a server used for internet perposes. Both are common sense questions that any dimwitted lawyer would have thought off.

  69. Anonymous Coward

    4chan FTW!!!

    ToGTFO nao!!111!!!!!!one!!1one1!!!!!


  70. John I'm only dancing

    The irony...

    .... of anti-filesharing lawyers (sharks demanding money with menaces perhaps), should actually go about sharing their files

  71. Anonymous Coward
    Thumb Up

    I have not laughed so hard in a long time!

    Guy from the states prank calling Mr Crossley:

    I'm in the process of going through the leaked emails. They contain everything from lists of possible infringers to credit card details.

  72. Arweet

    Plain text Excel attachments over unencrypted email.

    Yep, seen that before, in places where I could not believe my eyes.

    The problem is the management culture. Something is deemed a negligible risk simply because it has never happened before. A potentially fatal assumption.

    Now, that a small law firm has trouble keeping up with new technologies doesn't surprise me.

    That a telecommunications giant fails to grasp even the very basics of secure communication, however, is inexcusable.

    Somebody must be sacked over this, otherwise this culture won't change, and the next data disaster will make this one look harmless.

  73. Anonymous Coward

    Standard defence

    As ACS:Law admit, this threat is pure BS -

    “since you are the account holder of the internet connection associated with IP address, as confirmed by your ISP, British Telecommunications (BT), and are therefore responsible for any and all activities that occur over your internet connection including the infringement of copyright in our client’s Work.”

    Their own legal assessment of this threat?

    "There is NO case law to support such a general assertion without physical evidence on the infringer’s computer and ALL case law points to the opposite interpretation of that statement."

  74. James Pickett

    SCO reloaded

    Crossley would seem to be new Darl McBride. I wonder how long he will cling to the wreckage?

    BTW, El Reg, what happened to my earlier post under 'Just Desserts'? I don't remember saying anything too contentious...

  75. Anonymous Coward
    Anonymous Coward


    From perusing the offending data it seems that:

    - the court orders instruct BT to supply the data encrypted on CDROM or similar. If they did this, and can't see any reason to say otherwise, then they are in the clear.

    - ACS:Law decrypt it, then email the spreadsheets to for them to load onto a databses and print the letters.

    - in at least one instance, ng3sys. email back a url to a public zip file in the root of /their/ webserver containing the letters !

    Notwithstanding the idiocy of using an off-site mailserver in the first place, why the hell is all this being emailed about unencrypted and even put in such public places?

    1. little
      Paris Hilton

      yeah there were some password protected excels

      ... but when sent to someone else internally they were decrypted.

      i liked the dan & birdsey corespondence, prime example to never deal with personal issues at workplace.

  76. Evil Genius

    latest twist

    BT confirm that their data was sent by email, unencrypted, in direct breach of the court order.

    "The ruling, ordering internet service providers to hand over data to ACS:Law, states that it should be provided in an "electronic text format by way of Microsoft Excel file saved in an encrypted form to a compact disk, or any other digital media"."

    How many more revelations before we get proper, multi-agency investigation into this whole catalogue of breaches?

    1. Anonymous Coward

      To be fair

      they also stipulated that it needed to be treated with confidence and stored securely (despite it being transmitted, rather insecurely).

      What's even more interesting, and sure to make all the freetards crap their pants, the dates of the offenses registered are from late 2009. i.e. About a year ago.

      In other words, there is another years worth of data to sift through and for other lawers to issue lawsuits. Just because you haven't been caught downloading that movie 6 months ago, does not mean you won't.....

      If you are a freetard, you can expect your letter in the post.

  77. Anonymous Coward
    Anonymous Coward

    4chan needs to stop getting so much attention

    attributing this to 4chan is dangerous, 4chan itself is filled with horrible little toerags who spend their days getting people they don't like fired from their jobs, ruining good people's lives etc.

    they are like the bullies in school who push each other to do more and more f'ed up things

    and didn't they convince 1 teenage girl to commit suicide or something ?

  78. JakeyC

    Scum. Sub-human scum.

    If only the ICO had enough teeth to just shut these cowboys down as of yesterday.

    I hope every person they ever wrote to presses charges for:

    - libel/defamation of character (accusing them of viewing hardcore porn with no evidence)

    - fraud (pretending there's a 'lawsuit' that can be 'stopped' if they pay up)

    - blackmail (we know where you live and what you've been watching. Pay up or else)

    - multiple DPA breaches (just read the article)

    - being dickheads of the highest order

  79. Anonymous Coward
    Anonymous Coward

    ACS also release CVs of job hunters

    The jmiller emails for a para-legal position include some 30+ CVs, have these people been notified that their personal information in now in the public domain?

    Half a million pounds is no where near enough ACS and the Directors should never be allowed to hold personal information again and all the para-legal applicant should be compensated against future identity theft

  80. Anonymous Coward
    Anonymous Coward

    "massive target for hackers"

    On Usenet there is a thunderbird portable with the mail file loaded. I particularly like this exchange:

    "I have a software solution for you that is almost ready to go (2 weeks). It does everything you could ask for and some of the things you haven't even thought of yet.

    I would not recommend running your business on Google Docs. It is a massive target for hackers:"


    1. Anonymous Coward
      Thumb Up

      On Usenet there is a thunderbird portable with the mail file loaded.

      Excellent, saves me some work. Now for a fat one and a beer.. Got me some reading to do.

  81. Anonymous Coward
    Thumb Up


    What went into orbit, came back to earth.

This topic is closed for new posts.

Other stories you might like