BT customers details among those leaked on web
Data was sent to ACS:Law 'unencrypted'
BT has been embroiled in the incident that saw the names of 5,300 Sky customers acussed of illegally downloading porn films, leaked on the web following an attack on the website of legal firm ACS:Law.
The telecommunications company has revealed it sent an unsecured Excel document containing details of 500 BT and PlusNet users, also thought to have taken part in illegal file-sharing, to ACS:Law.
The data was sent by Prakash Mistry, a lawyer working for BT, to Andrew Crossley of ACS:Law, and may have breeched the Data Protection Act possibly resulting in a fine.
The Data Protection Act requires customers details to be kept secure and while BT asked ACS:Law to keep the data secure, it did not encrypt the information before it was sent.
"I can confirm that this did happen," a moderator called 'NigelE' said on PlusNet's forums.
"We are investigating how this occurred as we have robust systems for managing data. We have already ensured that this will not happen again."
The moderator also said the firms do not believe any customers details have been compromised by the attack on ACS:Law's website.
PlusNet told the BBC it is working with the customers whose details were contained within the document "to protect them as much as possible from further exposure" and will offer them "an identity protection service including internet security software free of charge for the next 12 months".
"Due to serious concerns about the integrity of the process that is being used by rights holders, we will resist efforts to share more customer details with rights holders and those acting on their behalf until we can be sure that alleged copyright infringements have some basis and customers are treated fairly," PlusNet added.
The Information Commissioner's Office (ICO) has been alerted to the incident. The ICO said it will include the two ISP's in its current investigation into the ACS:Law data leak.
However, Simon Davies from Privacy International revealed BT appears to be in contempt of a high court order. On July 7, the telecommunications company was ordered by Chief Master Winegarten, to hand over the data on suspected illegal downloaders.
The ruling stated the data must be "in electronic text format by way of Microsoft Excel file saved in an encrypted form to a compact disk, or any other digital media".
Davies said he would alert the High Court and to the Attorney General to the fact BT could be in contempt of court.
The same court order required Sky to provide ACS:Law with details of suspected illegal downloaders,. However, the ISP confirmed it had sent the data in "encrypted form".
ACS:Law was one of a number of solicitors responsible for sending out around 50,000 letters to web users earlier this year, claiming the recipient had illegally shared files. The letters demanded the recipients pay a £500 fine and sign a legal undertaking agreeing not to illegally file-share in the future.
It is thought the data leak was the result of a DDoS attack on ACS:Law's website by message board 4chan, due to the firm's part in tracking illegal downloaders.
"We were the subject of a criminal attack to our systems. The business has and remains intact and is continuing to trade," said Andrew Crossley from the legal firm.