A law firm that pursues the owners of internet accounts linked to alleged illegal downloads of music and films was warned yesterday it faces a swingeing fine after the personal details of a further 8,000 people were leaked online.
The Information Commissioner Christopher Graham said that ACS:Law, which has sent thousands of letters to suspected internet "pirates" asking them to pay compensation of £500, could be forced to pay up to £500,000 if it is found that the company has flouted data protection law by failing to safeguard personal details on its computer system.
A list of 8,000 Sky broadband subscribers and 400 PlusNet users which was stolen in a hacking attack on ACS:Law's website appeared on the internet yesterday. The leak followed the earlier release of another database of 5,000 people whose internet accounts were allegedly used to download pornographic films.
The latest disclosures contain the names, addresses and internet details of users suspected of illegally sharing music files, including information on how much compensation was paid by individuals approached by ACS:Law. In some cases the bank details of people who made payments have also been disclosed.
Sky last night suspended co-operation with ACS:Law. A Sky spokesman said: "This suspension will remain in place until ACS:Law demonstrates adequate measures to protect the security of personal information."
The law firm has been previously criticised by consumer groups who say some of those approached to pay compensation have been innocent of any offence.
The databases were released earlier this week after a hackers forum known as 4Chan organised an attack on ACS:Law's website, forcing it offline for a period. When the website was restored, it briefly displayed an unencrypted back-up file which included the personal information. It was copied by the hackers, who called their attack Operation Payback, and rapidly copied across the internet.
Mr Graham said: "The question we will be asking is how secure was this information and how it was so easily accessed from outside. We'll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing."
ACS:Law, which has struck deals with the rights holders for illegally downloaded material and is understood to receive about a third of the compensation paid by users, defended its business. Andrew Crossley, the firm's owner, said: "We were the subject of a criminal attack to our systems. The business remains intact and is continuing to trade."
The solicitors' company obtains data from monitoring firms which record the internet or IP addresses of connections allegedly used to illegally download entertainment material. The name and postal address of the owner of that IP address is then obtained via a court order and the person is offered the chance to make a one-off payment or face legal action.
The leaked files include replies to the law firm from people claiming they are innocent. Experts have said it is possible to hijack an IP address, making it look like it has been used for illegal fire sharing when it has not.
Critics of ACS:Law say its tactics amount to bullying. An email sent back to the company by one internet user said: "I have a number of mental health issues and I was on sick leave when I received your letter. Its threatening nature disturbed me, and I have since been referred back under the care of a psychiatrist."
A second law firm has said the letters may constitute harassment, a claim strongly denied by ACS:Law. Michael Forrester, of Manchester-based Ralli Solicitors, said it was considering a counter-claim against ACS:Law on behalf of clients who claim they have been wrongly sent letters demanding compensation.
He said: "Many people are so embarrassed just telling us about files they are alleged to have downloaded and shared, I cannot see them wanting to draw further attention to the issue if they were not innocent."