- What happened?
- What information has been leaked?
- Why me?
- What's an 'IP Address'?
- How did ACS:Law get hold of my personal information?
- How many customers have been affected?
- How did this information make it into the public domain?
- I'm no longer a customer of Plusnet, why have you emailed me?
- What about my credit card/bank details?
- Are Plusnet in breach of Data Protection Laws?
- What measures have you taken to make your customers aware that their personal details in the public domain?
- Was Plusnet to blame for the leaking of the information?
- Who can I complain to?
1. What happened?
On 25th September the law firm 'ACS:Law' were subject to an incident that left a large amount of confidential information visible to the public. This data included a significant amount of the law firm's corporate emails which were then copied and made widely available across the Internet.
Prior to the incident occurring, ACS:Law had sought and obtained court orders requiring us to disclose to the firm the names and addresses of a number of our customers whom they believed to have engaged in unlawful uploading of copyright material over the Internet. These allegations were those of the Copyright holder/ACS:Law and are not made by Plusnet.
Plusnet takes the security of our customers' data very seriously indeed, and we are very concerned that information we were legally obliged to share in confidence with a third party has been made public on the Internet.[Top]
2. What information has been leaked?
The information we sent to ACS:Law was in the form of a number of spreadsheets. These contained the internet 'IP addresses', the name of the copyright works and the time and date of the alleged infringement (all provided by ACS:Law). Also included were the names and postal addresses subsequently added by Plusnet pursuant to the court orders.[Top]
3. Why me?
Copyright holders and legal firms such as ACS:Law employ the help of third party companies, such as Digiprotect and Logistep, who use bespoke monitoring software to identify the 'IP addresses' of people connecting to file sharing networks. They specifically target those uploading content belonging to the copyright holder they're working on behalf of.[Top]
4. What's an 'IP Address'?
Each time you connect to the Internet you are assigned a unique identifier known as an 'IP address'. This IP address is typically a series of numbers separated by dots. Using this IP address, we can identify the customer it was assigned to at a given date and time. A third party can use readily available databases to determine which ISP an IP address has been assigned to (and that's how they know to contact Plusnet).[Top]
5. How did ACS:Law get hold of my personal information?
They applied to the court for what's known as a 'Norwich Pharmacal Order' or NPO. A Norwich Pharmacal Order is a legal procedure intended to assist in the identification of an alleged wrongdoer. We were then approached by the law firm with a list of IP addresses and asked to provide the names and addresses of customers who were assigned these addresses at a given date and time. You can read more about Norwich Pharmacal Orders' here.[Top]
6. How many customers have been affected?
We know that the details of approximately 300 customers were contained in the emails that were leaked. A further 400 customers may have been affected.[Top]
7. How did this information make it into the public domain?
Towards the end of September 2010, the anti-piracy lawyers 'ACS:Law' had their website taken down by something known as a targeted 'Denial of Service' attack. Following this attack, a backup file of ACS:Law's servers was made publicly available on the Internet which contained, amongst other things, a large amount of private email. Included in this backup file were emails that Plusnet sent to ACS:Law containing the names and addresses of a number of customers whom the firm had accused of downloading copyrighted material from the Internet. We were legally obliged to provide this information through the application of a court order by ACS:Law.[Top]
8. I'm no longer a customer of Plusnet, why have you emailed me?
Some of the court orders were granted back in 2009 which means some customers whose information ACS:Law were processing may since have left us.[Top]
9. What about my credit card/bank details?
None of the information we sent to ACS:Law contained credit card or bank details. If you have been in touch with ACS:Law directly though, and especially if you handed over your payment details, then you should contact your credit card company or bank immediately to advise them of the situation. We are aware that some of ACS:Law's leaked emails do contain the financial details of certain individuals, but have received no reports of Plusnet customers being in this position.[Top]
10. Are Plusnet in breach of Data Protection Laws?
No. Third parties can apply to the court for what's known as a 'Norwich Pharmacal Order' or NPO. A Norwich Pharmacal Order is a legal procedure intended to assist in the identification of an alleged wrongdoer. When such an order is made, we are obliged to disclose the information specified in that order. The personal information that was leaked to the Internet was taken from ACS:Law's web servers which are entirely outside of our control.[Top]
11. What measures have you taken to make your customers aware that their personal details in the public domain?
We are emailing *all* customers and ex-customers whose information we have previously sent to ACS:law. Where necessary, this will be followed up with a written letter and/or telephone call.[Top]
12. Was Plusnet to blame for the leaking of the information?
No. The information had already been transferred from Plusnet to ACS:Law by the time this incident happened.[Top]
13. Who can I complain to?
You may wish to complain to ACS:Law about the unauthorised leaking of your personal details.
If a complaint isn't handled to your satisfaction then you should contact the Information Commissioner's Office, details of which can be found here - http://www.ico.gov.uk/complaints.aspx[Top]
This page was published on 27th September 2010