back to article ACS:Law's mocking of 4chan could cost it £500k

Off-the-cuff bravado aimed at internet pranksters has led to what must already rank as one of the worst ever data leaks, by the anti-filesharing solicitors ACS:Law. The personal details of thousands of ISP customers accused of unlawfully sharing pornography, as well as video games, are now freely available online. The …

COMMENTS

This topic is closed for new posts.

Page:

  1. Huey
    Go

    Tis better

    No hack involved blunders all round.

    Nice and brief El Reg!

    It must go into the books somewhere I'd suggest somewhere near JS after all 4chan couldn't hit an elephant at that dist.....

  2. Anonymous Coward
    Anonymous Coward

    Snigger

    I presume that not only can the Data protection Dude do them for £500k, there will be a lot of rather pissed off downloaders who can sue them as well.

    Oh whoa. What a shame for them.

  3. Anonymous Coward
    Thumb Up

    New icon please

    Can we have a Guy Fawkes Mask icon now, please?

    1. OMGROFLSKATES

      YES YES YES

      AND MORE YES

      +1 cowbell as well please.

    2. Stone Fox
      Heart

      YES!

      Given the amount of /b/tards /i/nsurgents and assorted anons I see posting here it'd make a lot of people happy.

      And no, I didn't break rules 1 & 2 saying that!

  4. IglooDude

    Stupidity or malice?

    While the fellow in charge of ACS:Law was clearly unaware of the temperature of the pot he was stirring with his comments, I am surprised that a website restoration would go THAT badly awry, and another fairly obvious explanation would be that a particularly adept 4chan type got into their network and surreptitiously "adjusted" ACS:Law's website with the private data. Certainly if I were ACS:Law that'd be my defense, anyway.

    1. Loyal Commenter Silver badge
      FAIL

      If that were the case,

      how did the hypothetical 4chaner get hold of that data, if it wasn't exposed through their website, without adequate protection?

      1. IglooDude

        Stupidity rules

        Perhaps I'm being misinterpreted. I'm agreeing that their data was clearly inadequately protected, and that they do deserve whatever legal punishment they face. What I'm wondering was who specifically exposed the data to the website? A stupid ACS:Law person, or a malicious 4chaner?

        1. Bilgepipe
          Black Helicopters

          Or...

          Or a malicious ACS:Law person....?

          1. Paul Harrap
            Grenade

            missing option

            Or a stupid 4channer?

            (oh. bugger. don't hack me bro)

        2. Anonymous Coward
          Megaphone

          for the idiots who can't see what's going to try to happen next..

          Not going to spell it out entirely but, use your imagination...

          Speaking to BBC News, Mr Crossley said there were "legal issues" surrounding the leak.

          wriggle wriggle wriggle

          1. Alex 0.1
            Stop

            Nothing so complex

            You guys think way to technically for this.

            ACS dont have their own servers or anything of the sort, their account was previously hosted on a shared cPanel hosting account at Dataflame (probably costing them about a fiver a month) - When Dataflame cancelled their account following the DDoS they will have provided to ACS a backup of the account (cPanel will generate restorable account backups, including all email content) which ACS will have then uploaded to their new account with whoever their new shared cPanel host is, to then restore the backup into a working account.

            Stupidity, however, meant that instead of uploading the backup to the account's root to be restored from there (which is not publicly accessible) they uploaded it to the account's public_html folder (which is).

      2. PerfectBlue

        Need you ask

        While the media likes to make out that 4Chan is just a bunch of teenagers playing silly pranks, some of its members are extremely skilled hackers. If they put their heads together there's probably enough hacking talent on 4Chan to get into just about any system, let alone into the off the shelf website commissioned by that particular company.

        The odds are that their security procedure was to turn automatic updates on and then leave to get on with things itself.

        They probably just installed a web server package onto a second sever and plugged that into the net to cope with the extra demand caused by the DDOS, not realizing that the second server had sensitive information on it.

    2. Anonymous Coward
      Anonymous Coward

      Pretty easy

      "I am surprised that a website restoration would go THAT badly awry"

      Upload last backup to web directory. Restore.

      Whoops, I didn't kill the webserver first.

      I would say that such processes should be automated but that brings its own possibilities...

    3. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Court Orders

    Some mention on IRC that ACS paid TalkTalk £20 per customer and Sky a sum of £7899.76, maybe court orders not in place for all cases? Could just be rumour though.

    1. Annihilator
      Boffin

      No

      You can get a court order asking for the details to be released, but you have to pay reasonable administrative costs for the efforts entailed in releasing such details. Much like the £10 cover charge to get your own details from a company under the DPA.

  6. Anonymous Coward
    Grenade

    To quote a comment in a previous Reg article about this ....

    "BWAHAHAHAHAHAHAHAHAHAHAHAHHAHAHAHAHAHAHAHAHAHAHAHAHHAHAHAHAHAHA"

  7. ZootCadillac

    finally

    Thank you Chris for being the first of the higher profile news outlets to come out and say it. There was no hack involved. This was sheer incompetence. I've spent 24 hours trying to get other 'hacks' to correct their reporting of this and have finally given up now that the consensus appears to be that "4Chan hacked the site and stole the data"

    It's was not even 4Chan which is just a means these people use to co-ordinate information.

    1. IglooDude

      Question

      So how do you know no hack was involved? If they were stupid enough to have done such a crap restore job in the first place, they were stupid enough to have crap security allowing a hack of that sort. All we're agreed upon, it seems, is that they were stupid.

      1. Anonymous Coward
        Stop

        ok, enough is enough

        IglooDude and some others (The Other Steve), you're really having lots of problems understanding this aren't you...

    2. Shakje

      Seriously

      you get that wound up about this sort of thing that you go around emailing journos to get them to change their articles? Seriously?

    3. Anonymous Coward
      FAIL

      4chan gets WAY too much credit and news time these days

      True. And 4chan as an entity gets way too much credit for being behind stuff like this. It may be that one member of 4chan has some noobish "hacking" skills and manages to pull off a stunt and post the results to 4chan. However, in the press the whole community gets credit as some kind of elite hacking group rather than what it really is: a loose-knit community of mostly socially maladjusted teenage misfits looking for validation among other equally socially maladjusted teenage misfits, and not forgetting free pr0n.

      It's amazing what a group of unremarkable people with unremarkable ideas can achieve simply when there is enough of them working together; however, even the few decent memes originating from 4chan are the result of one or two half bright individuals whose work just gets repeated ad infinitum by the millions of dullards that hang out on the boards until people can't help but take notice. OK so they invented LOLcats (for which I do have some appreciation) but you'd think they invented the Internet the way some people go on about them!

      At least some 4chan members are self-aware enough to recognise and acknowledge they are the scum of the Internet and prefer it that way, rather than pretending they are its saviours.

      If any of the news reporters spent more than 5 minutes on this site and giving it some independent scrutiny rather than slavishly following whatever they think will get them page views and Internet credibility they'd realise this and stop giving this website credibility and news time it doesn't deserve.

  8. Anonymous Coward
    Anonymous Coward

    "dont mess with 4chan", eh?

    Because even if you dont mess with 4chan, they might just shit on you anyway.

    1. Anonymous Coward
      Thumb Up

      It's like a hornet's nest

      ...best not to whack it with a stick, but that's no guarantee it won't sting you.

      For some reason your comment made me think of the Epilepsy Foundation forum raid... there's not always a noble intent to the actions of the "Internet Hate Machine"

  9. Dazed and Confused
    Gates Horns

    Not only ACS can be sued

    But it looks like all of the BT customers could also sue them too.

    Might make for any court cases brought by ACS interest as well. The leaking of the data could well be considered to prejudice a fair trial, so the judge might well just chose to throw out all the cases.

    Then there would be the reliability of the data, if the data can not even be handled in a legal way by the ISP who is to say that it was acquired is a way which includes sufficient safe guards to be used as evidence in a court case. Without strong encryption and signing there could be no proof that the data hasn't been modified. So again this would make a trial difficult.

    Then of course ACS' clients might feel that that have screwed up any chance of their seeking legal redress and they might feel that they should sue ACS for professional incompetence. Hmmm the list goes on.

    Maybe he should be glad of the long queues at the coffee shop. The legal profession are after him, the ICO are after him, his victims will probably be after him and now his clients. He might well need a job in a coffee shop when all this is said and done.

    Only all the people I come across in coffee shops are better than that.

    1. Scorchio!!

      Hmm

      I found myself wondering, does he eat croissants with his coffee? Only this could explain why he was away for long enough to be, um, p\/\/|\|d, j00 kn0\/\/ \/\/hat I mean? ;-)

      1. Anonymous Coward
        Anonymous Coward

        N0

        1 D0nt kn0w wHat U Mean.

        Speak English or be quiet.

        1. Scorchio!!

          Hah!

          I th||\|k j00 me|\|t j00 |\| you. Pip, pip old boi.

  10. mmm mmm

    This story

    Just gets better.

  11. dave 46

    Accidents happen

    And I couldn't honestly be that hard on the techies who bungled putting the site back up while under pressure.

    But what idiots thought leaving documents like that unprotected on the website was a good idea? The only thing protecting them was people didn't know there were there. No doubt some idiot solicitor demanded he be able to access them anywhere, passwords were too hard to remember and it had to be NOW.

    All works fine until you rebuild your Apache and have the wrong default document configured.

    1. Anonymous Coward
      Anonymous Coward

      @Dave46

      You are absolutely correct

      “Ali, just one more thing concerning the LoC generation, would you kindly remove password protection on the PDFs, as requested by the fufilment centre during the last run of data. Thanks.”

      By all means, remove passwd protection on the PDF’s. That way, if the backup ends up in the webroot someday, the world will be able to see everything ))

  12. Anonymous Coward
    Pirate

    Hoist by his own petard, perhaps?

    Couldn't have happened to a nicer man...

    Under investigation by the SRA.

    Facing possible fines of £500K.

    Can we possibly hope that these things come in threes, and these scumbags face criminal proceedings of some sort?

  13. irish donkey
    Thumb Up

    So now we can look into the mirky pool

    that is ACS:LAW and their relationship with our ISP's and the courts according some sources.

    I'll bet a few ISP are wringing their hands as well. It will be interesting to see when everything has been read and analysed who really is fighting our corner and who is stiffing us.

    1. Scorchio!!

      Indeed

      That is where the rubber hits the road, and it may be a major factor in determining which ISPs come out of the recession with their user base intact. BT already had Phorm.

  14. dephormation.org.uk
    Grenade

    Bruce Schneier wrote the book on email encryption

    So why didn't BT read it?

    If they had encrypted the data sent to ACS:Law, of simply used a password protected link to an SSL site, sensitive details of their customers downloadng habits would not be all over the internet.

    It is not just ACS:Law who should be paying fines of £500,000.

    Ian Livingston should be digging deep into his pockets too. Their incompetence is inexcusable.

    1. Anonymous Coward
      Anonymous Coward

      Maybe TLS?

      I haven't read Bruce's book. Despite having implemented some email encryption solutions... But I expect BT could argue that they transmitted the document in question over an encrypted TLS channel and that further encryption wasn't required.

      Many email servers now use TLS first and fall back on plain text.

      Whether a company as large as BT has sufficient log history to prove that is debatable.

      Whether the connection was forced to be TLS (if indeed it was) or if it was just "luck" is also debatable.

      Whether anyone has ever checked certs from both ends is unlikely.

    2. copsewood
      Flame

      unsupported assumption

      The fact that ACS Law stored and published highly sensitive data unencrypted on their own web server doesn't imply or mean that this data wasn't sent to them securely by ISPs who provided this data, presumably because it would have been illegal not to do so because a court warrant was obtained.

  15. Chris Hatfield
    Pint

    ACS:Law : "Criminal" attack on website

    The "criminal" attack on their website is different to their criminal breach of Data Protection Laws by ACS:Law. Thank you, El Reg, for making this so clear.

    Andrew Crossley knows this, I'm sure, but is trying to spin for PR (in my humble opinion).

    It was serendipity on that part of Anons, from all corners of the net, not just 4chan but anti-anti-piracy activists and good people who never/rarely to go 4chan. Never underestimate the creativity or a bored bunch of teens.

    Partyvan.info has always been the main hub, but as it's very decentralised, there are lots of little hubs.

    I would remind people with weak stomachs not to peruse the 4chan boards.

    1. Anonymous Coward
      Anonymous Coward

      4chan boards

      Everyone talks about 4chan as if it only has one board, it has plenty of boards that are completly safe for work. It even has a bunch of text only boards. Unless they got rid of all the work safe boards in the last four or so years.

      1. sT0rNG b4R3 duRiD

        NSFW

        Well, I would say it depends.

        As you rightly say not all content on 4Chan is sufficiently disturbing to be considered NSFW...

        BUT... let me just put it this way, would you want your superiors noting you had visited a place like 4Chan?

    2. PerfectBlue

      Never underestimate the creativity or a bored bunch of teens?

      Are you sure that they're teens? Not middle aged men pretending to be teens?

      There appear to be more teens on the web than there are teens in the world. Half of them are little kids pretending to be older, and the other half a adults pretending to be younger. There's probably a couple of real teens there. Just by pure chance. They are the ones who are sitting around looking confused while everybody around them talks about Hannah Montanna and The Who.

      1. JimC

        >Middle Aged men pretending to be teens

        There seems to be something about supposed anonymity on the net which reduces the mental age and social conscience of many males to be somewhere between 13 and 15.

      2. Anonymous Coward
        Anonymous Coward

        Possibly

        There's a lot of us teens online because we have a shitload of free time as compared to adults doing say a typical 9-5, and we've grown up with technology so are for the most part familiar with it's basic workings (unlike some people, I'm not going to go so far as to say understand it...)

  16. Anonymous Coward
    Thumb Down

    Only £500K?

    I find it rather odd that this only "could" cost them up to £500K. A breach like this could actually bring some real harm to those named, yet the firm responsible has only the relatively toothless ICO to answer to, while filesharers are pursued for many thousands per song.

    I'm not arguing that filesharing is right or wrong, but it's a nice demonstration of the the complete lack of a sane perspective on things.

    If a company destroys the privacy of thousands, they might get a (very) tiny dent in their end of year bottom line, but an individual who torrents an album will be dragged through the courts for years or bullied into payment.

    1. Anonymous Coward
      Alert

      +Civil Damages

      I would assume (but IANAL) that this is a penalty that is imposed in addition to damages claimed in any civil cases brought by people harmed by the disclosure. In this instance I would imagine a couple of ambulance chaser lawfirms have downloaded the lists and are currently approaching potential clients in a class action case.

    2. heyrick Silver badge

      Only £500K?

      True. How about, given the nature of the data, 500K per infraction? Now, um... how many names were there? :-)

  17. Tigra 07
    Heart

    LMFAO!

    I'll bet ACS is really regretting what they've been up to now with a possible £500k fine and possible other lawsuits from everyone at risk now =]

    This has really made my day, they deserved this 100%

  18. PsychicMonkey
    Thumb Up

    I've heard

    his train was late too. Poor fellow.

    1. CASIOMS-8V

      I also heard

      that the coffee was cold

Page:

This topic is closed for new posts.

Other stories you might like