Not surprisingly, a £5.99 Web host doesn't handle Anonymous distributed denial of service attacks well.
Last year, the UK's main law firm sending out "settlement letters" to accused online porn file-swappers was attacked by members of Anonymous as part of the group's anti-copyright “Operation Payback.” The attack on ACS Law revealed the firm's private e-mails, splashing owner Andrew Crossley's private life, car purchases, and detailed financial projections across the Internet.
The humiliating episode also revealed unencrypted spreadsheets containing the names addresses and films allegedly shared by UK residents—and Crossley today was fined by the Information Commissioner's Office for not protecting that private information.
Operating on the cheap
Information Commissioner Christopher Graham hit Crossley with a £1,000 fine today (PDF), though Graham warned that the penalty would have been £200,000 had Crossley not gone out of business earlier this year after some adverse court rulings.
“As Mr. Crossley was a sole trader it falls on individual to pay the fine,” said Graham. “Were it not for the fact that ACS Law has ceased trading so that Mr. Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.”
Crossley was listed as his law firm's “data controller” and so is personally on the hook for the fine. The Information Commissioner charged that Crossley had “serious flaws” in his computer security system, that he did not seek professional advice when creating it, and that it did not include “basic elements such as a firewall and access control.”
Just how shoddy was the setup? When Crossley's old website had too much downtime, he asked his assistant to find a new Web host.
The legal assistant did a basic search on the Internet to find potential web hosting companies and came across a web hosting company (the “Web host”) which he recommended to the data controller on the basis that it offered online customer service and a program that allows individuals with limited computer programming knowledge to create webpage templates or to amend webpages easily.
In April 2009, the data controller [Crossley] decided to use the web host as his new Internet and e-mail host and entered into a contract with it for what it described as a “home” web hosting package at a cost of £5.99 per month. It is clear that this package was not intended for significant business use.
In addition to the fine, the judicial reprimands, and attacks in the House of Lords—where Crossley was accused of "straightforward legal blackmail" by Lord Lucas of Crudwell and Dingwall—Crossley still faces a summer hearing before the UK's legal disciplinary counsel over his actions during the last few years.
reader comments
44