FTC finds P2P networks rife with leaked identity data

February 22nd, 2010

The Federal Trade Commission today finally voiced concern about the long-known problem of data leaking into criminal hands via LimeWire, BearShare, Kazaa and dozens of other  peer-to-peer (P2P)  file sharing networks.

The FTC put nearly 100 companies and agencies on notice that their employees appear to be regularly leaking large amounts of sensitive customer and employee data on popular P2P networks

The FTC did not name names, either of the victimized organizations or of the P2P networks. But the problem is well-known in tech-security circles. And it appears to be exacerbated by rising d0-more-with-less demands on being placed on employees.

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” says FTC Chairman Jon Leibowitz. “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

Data leaking from home PCs

This is a long-debated concern on which studies have been done and for which Congressional hearings have been held. The basic problem has to do with well-meaning employees taking company files home and loading them on their personal PCs to work on.

If that PC is subsequently used to download free music or videos at LimeWire, Kazaa or dozens of other P2P networks — and the user is not careful about configuring the download — work files can get exposed to all users of the network.

“It sounds preposterous, but sensitive information leaking out unintentionally like this is amazingly common,” says Eric Johnson, director of digital strategies at Dartmouth’s Tuck School of Business. “Look at the file sharing networks and you’ll find people exposing things all the time.”

In fact, data leakage via P2P networks has become so commonplace that there are cybercrime gangs who specialize in continually searching P2P sites for sensitive work documents. FTC investigators easily found health-related information, financial records, drivers’ license and social security numbers accessible on P2P networks — “the kind of information that could lead to identity theft,” says Leibowitz.

The FTC is conducting “non-public investigations” of other companies whose data are turning up on P2P networks. It also today released new education materials to help companies deal with the problem.

Doing more with less

A big driver of the problem is the fact that many employees today are under intense pressure to take on tasks previously assigned to others who’ve been laid off in the down economy.

Striving to produce more, employees feel compelled to take work home and use their own equipment and network hookups to complete assignments, says Lisa Sotto, head of privacy and information management at New York law firm Hunton & Williams.

Sotto says companies need to establish and enforce policies relating to the access and use of sensitive company data, and train employees on best security practices.

“Awareness is critical,” she says. “A lot of people don’t know that there is a problem.”

The FTC is calling on the  roughly 100 organizations whose data it found littering p2p sites to  identify affected customers and employees and “consider whether to notify them that their information is available on P2P networks.” The agency pointed out that most states and federal regulatory agencies have data breach notification laws requiring such disclosure.

By Byron Acohido