The owner of now-defunct solicitors firm ACS:Law has been fined 1,000 for not keeping personal data secure from hackers.
The Information Commissioner's Office (ICO) said today it would have slapped Andrew Crossley with a 200,000 fine if he had the money to pay up.
"Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of 200,000 would have been imposed, given the severity of the breach," said information commissioner Christopher Graham.
Crossley's firm courted controversy when it sent letters to people it believed had infringed copyright, saying they needed to pay a fine for illegally downloading material or end up in court.
All cases were dropped against 27 people who took ACS:Law up on its court challenge. The firm has now folded, but sole trader Crossley could have to pay out legal costs to the alleged file sharers.
The ICO fine came as a result of poor data protection practices at ACS:Law, which was targeted by hacktivism group Anonymous leading to personal data being published on the internet.
A file containing emails between ACS:Law staff, as well as messages to and from ISPs or members of the public was placed online, affecting around 6,000 people in total.
The stolen data included ISP account details, names and addresses, as well as credit card details and references to the sex lives of those affected.
The ICO discovered ACS:Law did not even have rudimentary protections like a firewall or access control. Furthermore, the company's web hosting package was only intended for domestic use.
"This case proves that a company's failure to keep information secure can have disastrous consequences," Graham added.
"The security measures ACS:Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details."
In recent months, the ICO has been criticised for not issuing fines more regularly. A freedom of information (FoI) request put forward by encryption firm ViaSat showed the ICO had fined less than one per cent of organisations it investigated since it gained additional fining powers in April 2010.
The ICO did not say whether it had looked into the state of Crossley's finances.
The aforementioned leaked emails indicated Crossley was considering buying a Ferrari, having been the proud owner of a Bentley already.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
