All over the Tech news today is story about the email leak from the unpopular piracy solicitors ACS:Law.
They take great pleasure in hunting down people who’ve been sharing files illegally- now they’re about to get a taste of their own medicine, from the Solicitors Regulation Authority and the Information Commissioner.
The UK’s Information Commissioner (ICO), speaking after the initial leak, told the BBC that ACS:Law had a number of questions to answer.
“The question we will be asking is how secure was this information and how it was so easily accessed from outside,” said Christopher Graham.
“We’ll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing.
“The Information Commissioner has significant power to take action and I can levy fine of up to half a million pounds on companies that flout the [Data Protection Act],” he added.
It all started because the ACS:Law web site was brought down during a DDoS attack. When they restored service, a folder that contained a backup of their emails was restored to a folder contained within their web site. This meant that anyone could download their email backup.
While not everyone did, we know for a fact that someone did. Not only did they download it, but they’ve shared it widely on torrents, which means the world is currently reading through ACS:Law’s emails.
The collection includes the incoming and outgoing emails of Andrew Crossley and his employees, complete with attachments, and contains masses of information about how ACS:Law goes about its business and how much money it makes, plus embarrassing personal details. (Broadband Genie excerpt)
As a Cloud vendor we are frequently queried about our security and how it stacks up. This is because many customers firmly believe that holding on to their data and keeping it on servers located in-house or within their control will be far safer than trusting a secure third party. The ACS:Law breach, no matter how amusing for the many people who dislike this firm and its practices, is a perfect example of how dangerous it can be to keep copies of data peppered around your own environment.
Backups represent a massive collection of logically connected intellectual property that can be easily found (and retrieved) IN A SINGLE FILE!
We are absolutely not condoning the behavior of the perpetrators behind the DDoS, in fact we protect many of our customers from DDoS’s, it merely disproves the fallacy that data is safer on-site and that things can, and often do, happen that are beyond our own internally limited control. It also shows us how dangerous is can be to keep backups on servers in an internal environment.