The Information Commissioner has confirmed his office is investigating a major data breach at a UK law firm, an examination that could result in a £500,000 fine.

The news follows an announcement yesterday by privacy group Privacy International, which said it was planning legal action against the law firm, ACS:Law. PI cited a breach of the Data Protection Act after sensitive details including names, addresses and bank details reportedly appeared.

Last week, the unencrypted details of thousands of broadband users, who are reportedly signed up to BSkyB services and were thought to be illegally sharing pornography, were leaked on the ACS:Law website. At the time of writing, ACS:Law had not returned calls requesting comment.

The breach apparently occurred after a distributed denial of service attack on the firm’s web servers, with unencrypted emails that the firm had sent to users appearing on the ACS:Law website. ACS:Law had been emailing the users to warn of potential legal action for breach of copyright.

The Information Commissioner’s Office said today that it takes any breach of the Data Protection Act “very seriously”. It added that it “will be contacting ACS:Law to establish further facts of the case and to identify what action, if any, needs to be taken”.
 
In a BBC report, Information Commissioner Christopher Graham said the investigation will cover the security steps taken at ACS:Law and how the data “was so easily accessed from outside”.

Sky Broadband

"We'll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing,” he said.

ACS:Law had been tracking those users suspected of sharing copyrighted pornographic files, logging their IP address, and obtaining court orders to force internet service providers to reveal their real names and addresses, the BBC reported.

A spokesperson at BSkyB said the company can be compelled to release such information following court orders, but added: “We only ever provide such data in encrypted form.” The company said it was “very concerned” about the security breach and had stopped "all co-operation" with ACS:Law until it was satisfied adequate security was in place.

Andrew Wyatt, at software security firm Clearswift, noted that the Information Commissioner “has made it clear that even where a data breach is a result of a malicious cyber attack, this is not an adequate defence [over data protection] and serves as no excuse”.
 
"The security industry needs to work with companies to educate them that security of their business information and data is not just a cost," he added.

“This sensitive data should have been encrypted and never associated with any form of external web application,” added Richard Walters, chief technology officer at user activity management software firm Overtis. “Technology is available to prevent this from happening no matter how poorly configured systems are, or how badly coded their Web facing applications are.”