ACS:Law facing legal action over data breach

ACS-Law could face action from the Information Commissioner's Office (ICO) after the law firm's entire email database was posted online as it was trying to recover from a distributed denial-of-service (DDoS) attack.

The company has been heavily criticised in the past for sending letters to alleged copyright infringers demanding payment under the threat of court action.

The ACS-Law web site was hit by a series of DDoS attacks over the weekend carried out by web group Anonymous as part of a wide-ranging attack on pro-copyright organisations known as Operation Payback.

The breach of ACS-Law's systems reportedly resulted in the release of a file containing 365MB of emails containing credit card information on suspected offenders, as well as emails written by the firm's boss Andrew Crossley.

Rights group Privacy International has reported the firm to the ICO, as the data breach was not technically caused by the hack, but by a failure to put appropriate technical safeguards in place.

"This data breach is likely to result in significant harm to tens of thousands of people in the form of fraud, identity theft and severe emotional distress," said Privacy International advisor Alexander Hanff.

"This firm collected this information by spying on internet users, and now it has placed thousands of innocent people at risk."

An ICO spokesperson said that the regulator will contact ACS:Law to " establish further facts of the case" and determine whether any action needs to be taken.

"The ICO takes all breaches of the Data Protection Act very seriously. Any organisation processing personal data must ensure that it is kept safe and secure. This is an important principle of the Act," the spokesperson said.

ACS:Law told V3.co.uk that it had no comment to make on the matter.