BT confirms it sent customer info to ACS:Law – unencrypted

BT has confirmed it sent customer details in unencrypted Excel spreadsheets as email attachments to the legal firm ACS:Law.

BT said this morning it was investigating how this had happened and was still waiting for ACS: Law to let it know if any of its customer details had been compromised by the leak.

When asked if the details were sent unencrypted, a BT spokeswoman told TechEye: “I can confirm that this did happen but has no bearing on the current situation. 

“We are investigating how this occurred as we have robust systems for managing data. We have already ensured that this will not happen again. In this circumstance our legal department sent data to a firm of solicitors (ACS Law) which reached them safely and we trusted that they would keep the data safe.

“At a later date, due to an attack on the systems of the law firm, data was leaked, which was outside of our control. At this time we do not believe any of BT’s customers details have been compromised by this leak, although we are continuing to pressure ACS Law for confirmation of this.”

BT is among those ISPs that sent customer details to the controversial ‘anti-piracy’ legal firm after it wrote asking for help identifying which of its customers had IP addresses found on file sharing sites. A series of “denial of service” attacks then led to thousands of customer details being exposed on the internet.

In an earlier statement, BT had sought to allay customer fears, saying: “Our first concern is with our customers but we have been obliged to respond to court orders requiring that we disclose customer data. 

“However, there is increasing evidence that there are deep concerns regarding the integrity of the process being used by rights holders to obtain customer data from ISPs for pursuing alleged copyright infringements. 

“We need to have further confidence that the initial information gathered by rights holders is robust and that our customers will not be treated unfairly. We are urgently exploring how this can be assured, including through the assistance of the courts.”

The Information Commissioner’s Office (ICO) said this morning that it was in contact with ACS: Law but was not currently investigating the firm. 

A spokesman said: “The ICO takes all breaches of the Data Protection Act very seriously. Any organisation processing personal data must ensure that it is kept safe and secure. This is an important principle of the Act. The ICO will be contacting ACS:Law to establish further facts of the case and to identify what action, if any, needs to be taken.” 

Meanwhile, ACS: Law has been cut off by its ISP Sky Broadband. And BSkyB said it would no longer co-operate with the solicitors’ firm after 4,000 Sky customers had their details leaked.