on 28-09-2010 11h50
Plusnet (owned by BT Group) have published an FAQ to help their affected customers:
on 28-09-2010 12h39
Thanks DS. Note that, although they admit to passing the data under a NPO, nowhere do they say that they sent that information encrypted.
If they did indeed fail to do so, as ICO guidelines demand, then to claim
10. Are Plusnet in breach of Data Protection Laws?
12. Was Plusnet to blame for the leaking of the information?
is disingenuous, to say the least.
(from a PN forum - not allowed to link - and i feel that Plusnet and Fletch in particular have been the most pro-active ISP regarding this. I dont know of any other ISP that has sent an email to everyone they have given the names and addresses of. There may be thousands of people out there who dont know that their details have been leaked, (??? I am talking about you) and have been exposed to potential blackmail.)
on 28-09-2010 15h10
on 28-09-2010 15h19
Just an update
Our first concern is with our customers but we have been obliged to respond to court orders requiring that we disclose customer data. However, there is increasing evidence that there are deep concerns regarding the integrity of the process being used by rights holders to obtain customer data from ISPs for pursuing alleged copyright infringements. We need to have further confidence that the initial information gathered by rights holders is robust and that our customers will not be treated unfairly. We are urgently exploring how this can be assured, including through the assistance of the courts.
on 28-09-2010 16h06
You haven't commented on whether BT did or did not send spreadsheets of PlusNet customer details to ACS:Law in an unencrypted excel spreadsheet attachment to an unencrypted email. Do we take you lack of comment to mean this is true (bearing in mind that anyone with an internet connection can verify this as the emails are available on the Pirate Bay).
If this is not true, why has BT not flatly denied it?
on 28-09-2010 16h12
In answer to the question above about whether we sent out customer details in unencrypted files, I can confirm that this did happen but has no bearing on the current situation. We are investigating how this occurred as we have robust systems for managing data. We have already ensured that this will not happen again. In this circumstance our legal department sent data to a firm of solicitors (ACS Law) which reached them safely and we trusted that they would keep the data safe.
At a later date, due to an attack on the systems of the law firm, data was leaked, which was outside of our control. At this time we do not believe any of BT's customers details have been compromised by this leak, although we are continuing to pressure ACS Law for confirmation of this.
on 28-09-2010 16h33
due to an attack on the systems of the law firm, data was leaked, which was outside of our control.
Can i just say that the site was only ddosed, yes it was for a few days but it would have no affect on the database being available. The leak was purley on their side through poor staff. The ACS:LAw firm are trying to say that there site was ddosed and due to this the data was made available almost using the attack as an excuse or scapegoat as such. If you could make a database available through a ddos attack i would imagine all the script-kiddies would be doing it
Will BT confirm that they will no longer deal with ACS:Law as i have herd they are continuing on anyway despite this matter? Will BT fight them in court ?
on 28-09-2010 16h57
Perhaps BT could clarify the accuracy of the email correspondence, specifically where it appears to state that BT were being paid for handing over their customer's details, and most importantly, that the orders were worked on by both ACS and BT's legals prior to submission to the court for its consideration.
This would be most helpful, as it would seem to cantradict BT's statement that they were merely 'responding' to a court order, and appears on surface to put them in the light of being an active partner.
On a more positive note for BT, I have so far only been able to find around 400 names and addresses of customers who get their internet through the BT owned PlusNet. With regard to the other few thousand customers whose details BT seem to have sold, their details appear limited to their IP addresses, at least for the moment.
And no, the previous commentor is correct. The information leaked was not due to ACS' system being 'attacked' but was due the company making available their root-directory online. I'm sure BT don't mean to imply that the blame lies with members of the public for exposing BT's dealings with such a famously dubious company, but that is just the impression.
on 28-09-2010 18h34
"In answer to the question above about whether we sent out customer details in unencrypted files, I can confirm that this did happen but has no bearing on the current situation. We are investigating how this occurred as we have robust systems for managing data. We have already ensured that this will not happen again. In this circumstance our legal department sent data to a firm of solicitors (ACS Law) which reached them safely and we trusted that they would keep the data safe."
Erm...surely under Data protection Act I would like to think that you are not openly sending my details to anyone without first ensuring you send it securely and that it is kept securely.
You don't need to pressure ACS law. You can just go get the information off piratebay yourself. Or from many other torrent sites that will no doubt have the links by now. You don't even need to wade through the emails, someone has kindly supplied a link which has the relevant tables extracted in excel spreadhseet form and lists it by ISP provider.
I'm not on there, but if I was I would be exremely angry about the lack of control in place both by BT and ACS Law, not to mention the other ISP's whose customer data has been leaked. As it is, to know that BT are quite willing to sell my details to someone else based purely on suspicion rather than any hard evidence is pretty disappointing. I'm due to move house in a couple months and I'll be thinking very carefully about which ISP to choose.
on 28-09-2010 18h40
Based on the Nigel's reply (and I'm not having a go at anyone here, Nigel is only the messenger, I'm just worried as a current BT customer)
"In answer to the question above about whether we sent out customer details in unencrypted files, I can confirm that this did happen..."
"we trusted that they would keep the data safe"
"At this time we do not believe any of BT's customers details have been compromised by this leak,
although we are continuing to pressure ACS Law for confirmation of this"
My only questions are:
1)Does this method of sending sensitive information occur often
2)Has BT sent any BT customers details to ACS Law
3)If ACS Law reply to BT confirming that any BT customers' IP Addresses are on any of ACS Law's files/emails (which I'd of thought BT would already know as they would of sent it) - how many customers will this concern, plus are any of my details on any lists (there shouldn't be but I've noticed some innocent people are out there whom have been wrongly accused)
4)Is there not a duty of care to consider - I'd of thought so, but I might be wrong
5)Will BT fight any future court order requests - using whatever legal means possible
6)Should BT of informed their customers prior to handing over the information
7)Did BT break the law when it sent unencrypted communications in the first place
8)Can I trust BT - if not, any chance of an email with my contract end dates plus any (waived?) cancellation charges - thanks