The Information Commissioner's Office (ICO) will be contacting ACS:Law over the data breach, which reportedly exposed the details of thousands of internet users.
The data was stored by the law firm to track P2P users sharing copyrighted pornographic films, possibly illegally.
A data leak is believed to have occurred after members of 4chan, an image board website where activists recently organised attacks on film industry bodies, launched a distributed denial of service (DDoS) attack against ACS:Law's site.
"The ICO will be contacting ACS:Law to establish further facts of the case and to identify what action, if any, needs to be taken," a spokesperson for the ICO said.
Earlier this year, reports suggested that ACS:Law had contacted a number of web users suggesting they had been involved in illegal file sharing, giving them the chance to settle out of court for their alleged crimes for 500.
Many protested their innocence and Which? Computing was approached by over 150 people who had been contacted by the law firm.
Reaction
Some organisations have pointed the finger at ACS:Law, which was unable to give an official response about the breach at the time of publication. The company's website is also still down.
Jim Killock, executive director at the Open Rights Group, told IT PRO ACS:Law should never have had the data in the first place.
"The hackers weren't trying to expose email traffic, of course. While we may think bringing down a website is irresponsible, ACS:Law placed sensitive data in a place which it never should have stored [it], which is simply negligent," Killock said.
"The ICO should make an example of ACS:Law, but the ICO should also ask whether the EU's data protection supremo Peter Hustinx is right to question the entire legality of this private surveillance."
Hustinx, European data protection supervisor, recently queried the legality of the Anti-Counterfeiting Trade Agreement (ACTA) under EU privacy laws. ACTA, which is currently under negotiation by bodies from across the world, including the European Union, will look to produce common standards and practices for enforcement of intellectual property rights.
Privacy International, meanwhile, has claimed ACS:Law breached the Data Protection Act by allowing an archive containing sensitive data to be stored on a public facing web server.
The group encouraged ACS:Law to contact all those mentioned in the archive and disclose the breach to them so they can take steps to secure bank accounts and credit cards.
"This data breach is likely to result in significant harm to tens of thousands of people in the form of fraud, identity theft and severe emotional distress," said Alexander Hanff, a Privacy International advisor.
"This firm collected this information by spying on internet users, and now it has placed thousands of innocent people at risk."
The Pirate Party UK was critical of both the hackers, who went by the name of Anonymous, and ACS:Law.
It condemned the "malicious attacks" carried out by Anonymous on the firm's IT infrastructure.
"Similarly, the Party strongly opposes the mass publication of personal information and private communication, whether by internet-based groups or the firm itself," an official statement read.
"The Pirate Party UK encourages those who attacked ACS Law to find less drastic ways to make their displeasure felt in the future."
The group also warned ACS:Law and other firms storing data on people they believe to be involved in copyright infringement to consider the enmity such action inspires.
-
AI is helping bad bots take over the internetNews Automated bot traffic has surpassed human activity for the first time in a decade, according to Imperva
-
Two years on from its Series B round, Hack the Box is targeting further growthNews Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
