News

FTC Sweep Uncovers Widespread P2P Data Leak

• By William Jackson
• 03/16/2010

The improper use of peer-to-peer (P2P) file-sharing applications has once again led to the inadvertent exposure of sensitive information stored on government and corporate computers.

Late last month, the Federal Trade Commission (FTC) notified almost 100 organizations, among them schools and federal agencies, that personal information about customers and employees had been shared from those organizations' computer networks and made available on P2P file-sharing networks.

The breached organizations identified by the FTC included schools and local governments in addition to small businesses and large corporations. The breaches not only exposed personal information -- such as health and financial records, and driver's license and Social Security numbers -- but also made the organizations potentially liable for failing to properly secure the data.

"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk," said FTC Chairman Jon Leibowitz in a press release. "Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure."

In an interview with The Washington Post, David Vladeck, director of the FTC's Consumer Protection Bureau, suggested that a lack of knowledge in many organizations about how P2P file sharing works can leave the door open for such information leaks. While users have the ability to indicate which files and folders they want to expose for sharing, the wrong folders can be inadvertently included in the share list, documents could mistakenly be filed or copied in an exposed folder, and malware can reconfigure folder access lists.

In fact, according to a 2006 report from the U.S. Patent and Trademark Office on some of the unsavory features included in P2P file-sharing applications, if a downloaded file is moved out of the shared folder, it's possible for that file to give file-sharing applications access to all the data in the new folder. So if that new folder happens to contain a tax return or corporate information in addition to MP3s, all of that user's peers have access to that, too. Some P2P programs even include a search wizard to scour hard drives for other interesting folders to share.

"Peer-to-peer file-sharing programs have legitimate uses but -- particularly when people don't understand their vulnerabilities, and as our sweep showed -- they also have vulnerabilities," Vladeck told the Post. "What we're trying to do is raise awareness."

The FTC has published a guide to file-sharing security that includes some common-sense recommendations, including:

• Delete sensitive information you don't need and restrict where users can save files that contain sensitive information.
  
  
• Minimize or eliminate the use of P2P file-sharing programs on computers used to store or access sensitive information.
  
  
• Use appropriate file-naming conventions.
  
  
• Monitor your network to detect unapproved P2P file-sharing programs.
  
  
• Block traffic associated with unapproved P2P file-sharing programs at the network perimeter or network firewalls.
  
  
• Train employees and others who access your network about the security risks inherent in using P2P file-sharing programs.

Above all, the FTC said, organizations need a workable, enforceable policy to control file-sharing applications. FTC said the policy should include how to control the use of P2P applications, enforce a ban, protect sensitive information, protect against applications installed on computers used for remote access, train employees, and determine whether the policy is working.