Owner of Former Speculative Invoicing Firm Fined over Data Breach

Andrew Crossley, the former owner of ACS:Law, a legal firm that engaged in speculative invoicing, was fined by the Information Commissioner's Office for failing to adequately protect personal data.

Speculative invoicing is the still on-going practice of sending letters to file sharers suspected of copyright infringement and threatening them with legal action unless they pay a sum to settle accusations.

ACS:Law was one of the firms that pioneered speculative invoicing in UK and was one of the first targets of Anonymous' Operation Payback DDoS campaigns back in September 2010.

At around the same time, members of the hacktivist collective discovered an archived email backup left unprotected on the company's website and uploaded it on The Pirate Bay.

Some of the emails in the leaked database had Excel spreadsheets attached which contained the personal information of over 5,000 file sharers the company obtained from ISPs.

The Information Commissioner's Office launched an investigation into the matter which was finalized yesterday with a fine of £1,000 against Andrew Crossley.

Crossley was fined personally because ACS:Law went bankrupt earlier this year. ICO notes that had the company not ceased trading, the penalty could have reached £200,000 given the severity of the breach.

"Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress.

"The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details," said Information Commissioner Christopher Graham. [pdf]

ICO determined that ACS:Law didn't ask for professional advice when setting up its IT system that lacked firewalls and access controls. In addition, the Web hosting package it used for its website was destined for home users.

The ICO also investigated BT for sending personal information about its customers to ACS Law in unencrypted format, but it determined that it was an employee's mistake. The decision to drop that investigation was strongly criticized by privacy watchdogs.