Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law

Breach details

What Loss of sensitive personal information.
How much 6,000 records.
When 2009 – May 2010
Why Insufficient measures taken to protect spreadsheets containing personal data, which was made available online following a DDOS attack.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 1,000
When 10 May 2011

Why the regulator acted

Breach of act Unencrypted spreadsheets were placed on a torrent site following a denial of service attack. “Home-use” web service used rather than a business package.
Inappropriate organisational and technical measures.
Known or should have known Data controller was fully aware of the sensitive nature of the data he dealt with and that his business was controversial and unpopular with some. The risk of attack was clear, yet he set up his set without professional IT advice.
Likely to cause damage or distress Financial and medical information of many individuals.