And it appears that BT may be to blame for some of the leaks, as it seems that BT has admitted sending the details of around 500 of its subscribers who were suspected of filesharing, but failed to encrypt the Excel-based file data.
Newswire reports suggest that the Information Commissioners' Office (ICO) is investigating the apparent data leak, whilst some of the people whose details have been leaked are reportedly talking to their lawyers.
The BBC, meanwhile, said today that the ACS:Law is not dissuaded from its campaign, and is set to go to court next week to seek the broadband records of several hundred subscribers from Plus.net, the Sheffield-based ISP, which was acquired by BT a few years ago.
Computer Weekly says that, as well as the leaked 500 records of BT broadband users, a further 8000 alleged filesharing users are using Sky connections, and the remaining 5000 are with other ISPs.–
As reported previously by Infosecurity, ACS:Law had sent warning letters to thousands of people it identified after it discovered their IP addresses being used to download files.
Computer Weekly says that the letters threatened to take the recipient to court unless they paid £500 in settlement for their alleged copyright infringement.
The likely legal maelstrom that will result from this data leak is certain to drag on for some time, Infosecurity notes, but the incident could be the largest data breach of its type in the UK.
Andrew Wyatt, COO of Clearswift, said that the investigation into the breach is one that the Information Commissioner has made it clear that even where a data breach is a result of a malicious cyber attack – this is not an adequate defence and serves as no excuse.
"As more and more businesses embrace Web 2.0 and social media, today's news must serve as a wake-up call. The security industry needs to work with companies to educate them that security of their business information and data is not just a cost", he said.
Richard Walters, CTO of Overtis, meanwhile, said that organisations holding large amounts of personally identifiable data must automatically isolate and encrypt any databases that could breach people's privacy were they to be stolen, lost or leaked.
To do this, he advises that businesses should classify their file types and apply rules to prevent them from being sent unencrypted via email or webmail.
Walters also says that firms that handle people's data should implement security technology that manages and monitors privileged access to files, folders and applications.
"This sensitive data should have been encrypted and never associated with any form of external web application. Technology is available to prevent this from happening no matter how poorly configured systems are, or how badly coded their web facing applications are", he explained.
Amichai Shulman, Imperva's CTO, noted that the hackers had one aim in mind – to disrupt its business services and cause humiliation.
The moral of this story, he says, is surprisingly not about web security but rather about sensitive data stored in an unstructured format.
Whilst organisations are keeping themselves busy with protecting data in its structured form within databases – or as it flows out of web applications – Shulman says that a new threat has arrived, the dissemination of sensitive data.
"In its unstructured format the sensitive information is flowing around the organisation almost unmonitored and uncontrolled", he said.
"It is time for organisations to get ready to fight this new battleground of keeping close track of unstructured information repositories and controlling their flow around and outside their organisation", he added.