YNOT EUROPE – A London law firm that has been criticized for “bullying” individuals accused of sharing copyrighted files online faces a lawsuit after it inadvertently published to the web personal information about some of its targets.

A security snafu on Sept. 24 posted unencrypted names of about 8,000 Sky broadband users and 400 PlusNet users ACS:Law is pursuing, along with the titles of pornographic movies they are accused of pirating, about 1,000 confidential emails and credit card details. The data was captured by the “Anonymous” cyberspace activist group and quickly spread across the web.

ACS:Law partner Andrew Crossley quickly attempted to excuse the leak by claiming the company was the victim of “a criminal [distributed denial-of-service] attack” that exposed the data. DDoS attacks are illegal in the UK, but UK anti-piracy firms like ACS:Law found themselves targets of retaliatory efforts based in other countries after the Motion Picture Association of America hired a software company in India, where DDoS attacks are not illegal, to attempt takedowns of The Pirate Bay and other file-sharing sites in an effort to curtail copyright infringement.

What is less clear is why unencrypted personal data was posted to ACS:Law’s web server at all.

Non-profit privacy advocate Privacy International said the fault rests solely with ACS:Law. When the law firm attempted to restore its web server after the DDoS attack, the unencrypted personal information was included with the backup file. Calling ACS:Law’s action careless and “likely to result in significant harm to tens of thousands of people,” PI said it will sue the law firm.

The UK’s Information Commission also is investigating, according to TheFirstPost.co.uk.

The emails exposed during the breach may lend support to disciplinary action pending against ACS:Law. The UK’s Solicitors Regulatory Authority referred the firm to a tribunal in late August after consumers complained ACS:Law employed heavy handed tactics to force them to pay for infringement they didn’t commit.

“I think pursuing individual infringers will ‘scare’ them into paying up, more than what Lawdit or other representative would advise their client,” one of the emails noted.