Anatomy of a Breach

Anatomy of a Breach: ACS:Law — When Anonymous Took Down a Copyright Troll

> series: anatomy_of_a_breach —— part: 021 —— target: acs_law —— method: ddos_then_backup_exposure —— attacker: anonymous<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2010 12 min read
data-breach acs-law anonymous hacktivism uk-breach copyright ico email-leak series
Breach #021

A DDoS, a misconfigured backup, and thousands of lives exposed.

ACS:Law was a UK law firm run by solicitor Andrew Crossley that had built a controversial business model around copyright enforcement. The firm sent thousands of speculative invoices — often called 'pay up or else' letters — to individuals whose IP addresses had allegedly been associated with illegal file-sharing, demanding settlement payments of several hundred pounds. Many recipients paid rather than face the threat of court proceedings, regardless of whether they had actually infringed copyright. The practice drew widespread public anger and the attention of hacktivist collective Anonymous.

In September 2010, Anonymous launched a distributed denial-of-service (DDoS) attack against ACS:Law's website. When the site was restored, a configuration error left a backup file of the firm's entire email database — a 350MB archive — publicly accessible on the web server. The archive was downloaded and distributed widely. It contained the personal details of thousands of people who had been accused of illegal downloading, including names, addresses, IP addresses, and — in cases involving adult content — details of the specific material they were alleged to have downloaded. The ICO investigated and imposed the maximum available fine of £1,000 — a punitively small amount that underscored the inadequacy of the pre-2010 enforcement regime.

What Was Exposed
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The human cost of a data breach.

Unlike breaches involving payment card data or corporate secrets, the ACS:Law leak caused direct, personal harm to identifiable individuals. People who had been accused — rightly or wrongly — of downloading adult content had their names, addresses, and the specific content they were alleged to have accessed published online. For some victims, this exposure caused significant personal distress, relationship damage, and reputational harm. The breach demonstrated that the sensitivity of leaked data is not always measured in financial terms — sometimes the most damaging data is the most personal.

Backup Left on Web Server
The email database backup was stored on the same web server that hosted the public-facing website. When the server was restored after the DDoS attack, the backup file was accessible via a direct URL. This is a fundamental server hardening failure — backup files should never be stored in web-accessible directories. Our <a href="/penetration-testing/web-application">web application testing</a> specifically checks for exposed backup files, configuration files, and database dumps.
No DDoS Protection
ACS:Law had no DDoS mitigation capability. The attack took the website offline, and the recovery process introduced the backup exposure. Organisations that attract controversy — whether through business practices, political positions, or public profile — should consider DDoS protection as a baseline requirement. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses resilience to denial-of-service attacks.
Unencrypted Email Archive
The 350MB email archive was unencrypted and unprotected. A law firm handling sensitive client data — including accusations of downloading adult content — had no encryption on its backup files. <a href="/cyber-essentials">Cyber Essentials</a> requires encryption as a baseline control.
£1,000 Maximum Fine
The ICO's maximum fine at the time was £1,000 — a derisory amount for a breach of this severity. This case, alongside the HMRC and MoD breaches, contributed directly to the ICO being granted the power to impose fines of up to £500,000 (and later, under GDPR, percentage-of-turnover fines).
The Hacktivism Dimension

When attackers have ideological motivation.

ACS:Law was targeted not for financial gain but for ideological reasons — Anonymous objected to the firm's copyright trolling practices and wanted to expose and disrupt them. Hacktivism adds a dimension to threat modelling that purely financially motivated attacks do not: hacktivists are motivated by publicity, embarrassment, and disruption rather than profit, which means they are more likely to leak data publicly rather than sell it privately, and they are more likely to target organisations that generate public controversy.

For organisations whose business model, public profile, or political activity may attract hacktivist attention, the security baseline must account for this threat. Our penetration testing assesses resilience to the techniques hacktivists use — DDoS, web application attacks, and data exfiltration. SOC in a Box monitors for the reconnaissance and attack patterns that precede hacktivist campaigns. Dark web monitoring detects when your organisation is being discussed on hacktivist forums. And UK Cyber Defence provides incident response when an attack occurs.

Hacktivist Defence

Does your organisation attract controversy? Hacktivists are watching.

Our <a href="/penetration-testing">penetration testing</a> assesses your resilience to hacktivist attack techniques. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for hacktivist reconnaissance. Because when Anonymous decides you are a target, you need your defences to already be in place.

Assess Your Resilience Next: NHS Hard Drives on eBay
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 January 2011

Anatomy of a Breach: HBGary Federal — The Security Firm That Poked Anonymous and Got Burned

Breach #025. In February 2011, Aaron Barr, CEO of security firm HBGary Federal, announced he had identified the leaders of Anonymous and planned to sell the information to the FBI. Anonymous responded by hacking HBGary Federal's email servers, website, and social media accounts within hours — leaking 71,000 internal emails, defacing the website, and remotely wiping Barr's iPad. The hack that proved no one is immune — least of all the people who claim to be experts.

data-breach hbgary
13 min read
Anatomy of a Breach 30 September 2021

Anatomy of a Breach: Epik — 180GB of Domain Registrar Data Including WHOIS Privacy Records

Breach #153. In September 2021, hacktivist collective Anonymous breached Epik — a domain registrar and web hosting company — and published approximately 180GB of data including the company's entire customer database, domain purchase and transfer records, WHOIS privacy data, login credentials, employee emails, and internal system configurations. The breach was particularly significant because Epik offered WHOIS privacy protection — meaning customers who had paid to keep their domain registration details private had those details exposed. The data spanned over a decade of records and affected millions of domain registrations.

data-breach epik
12 min read
Anatomy of a Breach 31 July 2009

Anatomy of a Breach: T-Mobile UK — When the Threat Came from Inside

The seventh instalment of our Anatomy of a Breach series. In 2009, it emerged that a T-Mobile UK employee had been systematically selling millions of customer records — including contract renewal dates, contact details, and account information — to data brokers who resold them to rival mobile operators. The UK's largest insider-driven data breach, and a landmark case for data protection enforcement.

data-breach t-mobile
12 min read
All Posts Get in Touch