Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Citigroup Customer Data Leaked on LimeWire



 By: Lisa Vaas
2007-09-21
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Names, social security numbers and credit information of 5,208 Citigroup customers were leaked by an employee to LimeWire P2P file-sharing network.

Citgroup has confirmed that its investigating a data breach involving the names, Social Security numbers and credit information of 5,208 customers leaked by an employee of its ABN Amro Mortgage Group unit onto the LimeWire peer-to-peer file-sharing network.

Tiversa, a company that monitors P2P networks on behalf of clients, told eWEEK that it found Excel spreadsheets from the desktop of a financial analyst at ABN Amro Mortgage Group running LimeWire. Although Tiversa found over 10,000 files, deduplication revealed only 5,208 unique Social Security numbers, along with names and what type of mortgage each customer had: conventional, 30-year or conforming, for example.

Tiversa performed the review at the request of a Dow Jones Newswire reporter investigating the story.

The information is likely to have been exposed to millions of LimeWire users, given that there are at least 10 million nodes online in a P2P file-sharing network at any point in time, said Chris Gormley, Tiversas chief operating officer.

"As an identity thief, [that gives you] the keys to [those individuals] digital life," Gormley said.

Resource Library:
According to a Dow Jones Newswire report, the ABN employee responsible for posting the data signed up last year to use a LimeWire-like P2P service and inadvertently exposed not only the spreadsheet but also personal documents, including her resume and a Travelocity confirmation of a family trip. The woman told the news service that she was laid off this summer and wasnt aware of the breach before Dow Jones contacted her on Sept. 20.

Extent unknown

Due to the nature of P2P networks, the extent of the datas dispersal is unknown. Tiversa said the data wasnt online as of Sept. 20, but nodes containing the data could pop up at any time.

Dow Jones Newswires staff viewed the spreadsheets using LimeWire, which can be used to share music, movies and other types of files via the P2P file-sharing network—an architecture in which each member computer serves as both a client and a server. Thats in contrast to the World Wide Web, which works on a client/server model.

Data leaks mean dollars. Click here to read more.

The content on the WWW doesnt go away when individual nodes shut down. In contrast, when a member of a P2P network signs off, any content on that system is no longer available to the network at large. What that means is that somebody searching for terms leading to the breached ABN data could well come up empty-handed at one moment, but the breached data could pop up somewhere else if a user who has the file happens to log into the network.

Searches done by individual users on LimeWire might not detect the breached data for yet another reason: The P2P network is simply too vast to be searched. An individual can search a maximum of perhaps 4,000 nodes, Gormley said, before the vast network would grind the search to a halt.

The reason why Dow Jones turned to Tiversa and why the company was able to search the entire network was that Tiversa uses proprietary algorithms that outline the periphery of the network, he said. The company monitors some 1.3 billion P2P searches daily, including the search terms involved. If somebody is searching on a term associated with a credit card, Tiversa is poised to pick up on it. To get an idea of that reach, Google transacts some 130 million searches daily.

P2P breach connections

P2P file-sharing networks are being implicated in a growing number of data breaches, many inadvertent. In June, the personal information of 17,000 current and former Pfizer employees was exposed after an employee installed unauthorized file-sharing software on her company-provided laptop for use at home. Social Security numbers and other data on some 15,700 people were copied, the company said, in letters sent to affected employees and to state attorneys general.

Earlier in September, a confidential terrorist threat assessment on Chicago done by Booz Allen Hamilton also made it out to a public file-sharing network. A reporter with Fox News in Chicago reported that he used LimeWire to access the document, which was authored in 2002.

Also in September, a Seattle man, Gregory Thomas Kopiloff, was arrested in what the Justice Department said was the first case brought against someone for using file-sharing data to commit identity theft.

In July, the issue came to a head in Congress in a hearing over inadvertent file sharing over P2P networks.

It cited its own investigation using LimeWire and found that running common searches over a one-month period easily turned up bank records, medical records, tax forms, federal workers credit card numbers, attorney-client communications, corporate strategy documents for Fortune 500 companies, confidential corporate accounting documents, government emergency response plans and even classified military operation orders.

Government Reform Committee Chairman Henry Waxman said at the time that he was considering new laws aimed at addressing the problem, given the possible frightening scenario of foreign governments, terrorists or organized crime getting their hands on documents that could reveal national secrets.

A Citigroup spokesperson told eWEEK that the company is investigating the data breach.

"Citis information security standards require that confidential information be stored on Citi-managed devices," he said in a prepared statement. "Protecting customer information remains a priority at Citi and we remain fully committed to physical, electronic and procedural safeguards to protect personal information."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Citigroup Customer Data Leaked on LimeWire
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}r6*(w=O#dKkǶfU*$%){ܼs} _HKg29g&-`n4wAȅM{J.¢d>5)2A'A:6,-(P8"X.{D~Th';9>&a}N$a\<Դ' #RVR/F8Lw[hd| 5{a_U;]K_w@Sѡ*v25vk!6^ ;4 ȅ3z$6L@d`jI:B:"4#C15`p )zDtGL: nK> P:xtLf@aQ/*! lpi+tyyN .tvl*r~o^fz^[uwSY#W p׻%X愍EV'>6cݟQ~ 15OL"3Nˑ,YfXqWi ݱV*Z]QKrP)?W=v|˴Lh8F/ j^~pdvAJy]J! e UC ^_7D_j0QEVKy|/ Z@ .7P? uO.kQ2Z-_ Kk%٥~l$Y̮gfV҄ gUUYNA[~6tnCn l,aV4*2V]l&ȏAͪ}|q۽jnwCڝNYᣳx +?_fV'_ZUC0-=:$~4=|kh`m8;R^9 ?{2 'SRdt*A|pyA x훨-tK;WRH }xSyp#BX*,>JA8X@7? 9d[c2Ta]vjGo ZQ}3@_x0Nu{a7 @kiFkPYL`k6R\ 9lb䌗)6B̄H )WR>?z@U@ZR~nV(9USEI7#DD vx8~B(&pHqbNU1\a>Ukyx6fY[7'jtamM՘i*eށY5xiuO~S3G#VвnZ VƦcTf~\CU95|Qn٘2e8l ԰2>}aEw?C 6aϩ>wż1m;4}t>჎$>hƋMrinLrӇtu@.Lݣn<&tao7,AbGcSmC0CGE 61v| c9м`y`27CF{t$t,/{@`\@Z8`$8ʼE]qb B7}ɜ릥L L<ģA RP|#sZn( 7^ax"% EEKy3@ $h-4O`z,mbo$?LHXVppTݞHpPT>Uh3aGe-n^ $ d6g2+IMiG06-&D7r".G 7Kᙖ6@FZ,cM;1Mz:iY"daZc҂%Ll;i`2Ґ(ea9ޟzF~n;A랒%:\f335{00q}c] k%4klSܴa83 0|ChceBC`9N{3^kt\$ouuKıa|d:Nyvw=g&.Q1juϙO#k[}7M* jJ=WsA|5 i!sL&Ze onug HudH57KۏR5{_No6ʁy6+mmVJg@x# lkVƙA-ƘZ" IPצ(XKezdxe6:&CŸä 7s=k}0\ReZ Ȕe0+9,Wf (X~!m^/FgVީu<|$}r;6?C/<<fRqgӠMae ΤԺLM>kQ@/ı``{st9pJ.k9wM^].']9!@0m"QiNR} Ĵ^oZ,¿twֳj)݇I ,䧒ZQJ~$[b"ud\6˰@eִ&3q,y' zfd^0R+ҴE3sDB$*`LH'7s]KUQaȓuUoXyS;nLaD 570M;#LK/ogjQIBOKRMC'Xk5F>=c&O}INtxKF ‘"}yje>\RZr>j +b"[8:T:$漇W\܁ä:,Cd>5OM{c>4Yu Yj"A@z"RKz-85VjeVf>_2~2Ejw8x_ᄯ/8ݙ87Y:-wA_!m^9Z_29X>y: ;112& :S av5 1;AG50qHG&3E6YZNwHyT9֊kɭt)D a7 3sb_@7TvX/"X썿kC2ር546J,{ӁZFB -RF݂5m"uy@VIJXhQ{_5MOOШ6> }&no^{xSY Aɴ(1<2Hہ3Fnfۤs:n&c`l"Z`|i濭X`cb&T~\{Rglg^c+/ .`Y̙ɧb_?1\A>э+e*rO|m*Mn1}Ӛ`%[Ŵw)n<0{L3gN= Phnj`$dmhaU-g}X!2␜w ~+'Wa9L87=RJ 2=ctY8itgc6NZ*C)TʂYeo(QU-q'F.҂^%ixN1 Q,v}b;_&I|Se]ȣV)i+T\U񋰷83pa-XRjBL*>"{wcC/ PNFN3G P*~JePGIվm1RʵRM( CoED\%/:c lZv~Ƞ͕Z5` XsB5x`fK'2_vFܖ[J,]Aa u0 ]6%Q讻h]ef)seca-aI3M9` {IO,3'F*},wU :.izIRϢpӁ9tw@l~"ڊ tDu2q{27(۞kkfox<#ɟ?9qwP02A b$U˚V*j=ȥ9!`0\R+( ,%~w9ـo9 |ZUjrF2R@BZNbx<'b{HXN\iǷWXdK!O%EDOCVigX&J*ό&d{OZ]}"}QLXޟUv٩G#{?Jn)ilw5Z݋Gxg ?ٿn00N 0+?H LЇ_U#R9&jy-u/[o;lb8+} L@IP 4p>&i#O2nwJ7ms6#8-odD4|7.iwÏUGJ:7]w9&!.oXF^9nOM1Bk;d4)(3pX#aK#fψh!MsÙWb9kI.Dz=d_5g0T 8ьZ w~uYw1d|PVc (ʱ=`=`6v}N .@dBAnpz!NU HU*4Дk%IA%;g <B9FdYɉ C>}iV T t~nF џ` %cAdaF+9eIһ8 $ubSPۇ/:r0y!D(9o <%Ez:7GdfԎ8%4 \(?m[ħ{, /䎉<=;SN%M([viQ%uќyjWtJ9SBt (2H P2'I^VR6T$4%!44QLNbC]ҡ۳_'8 $O krwisq/P{v%yx4:k85(AuNHIJiIgԢᬖ^}+Y^N4~xr'|xj}yUyQ=,{GNÚĶ{s = ](=qc%vd:Gw*b,_}hrrӅ[eЦy$smCLٱDݘ~zv`N蚳9o. cg-{oCĆ_$"BQD=%&,`q*hcݮ"K" ñ3MQL# Hbй!sP+}Ƃz =GW+u\>eNx>HАߛS=p8#M[M^_͆ړJc Ǿz/ݻ7~Zw[q*ApKG<-L>?Gdc: M"IQU֫UdU)IW}Y)EG㳑)G8bo:`@L6COځ{-3(,l#{F^9__3{KNWkx>*~O 74 ]ekwB%J+nz%nUZhr;Dʊ%ոE*qQ)"{"F%t`!D:*pS^<{Ϝ'KxEd>!c7x4Qr{`"o>3iR,)eh)K_ (#mR@HX:?C^Ұp2W?KEYbFZUφix/Na@FIf0tJ}xwP 7YH&0MLFt(P:ғ1*a.ɃfAg^FM ;Yo!6Oi2Pq <: ) +M]1)$!q oG1]?eF9VVig5YR1g~͠dʱRwFg+)&'0]~9#*յZa /+%@c6+ǀ~Ҷ9.l_H H^uBjJM}xxϩ>fa+Ls"Z T ?p cAbG`}>0$N!> BFNwb*5U_v:]gx-KA6Q1]..Tb0E_l_5?nusk@Z`;NװZ8 aM|]K-bȗR Vږk/Ƙ1p\3WN@Gsc˒Z &YN( OL]>N<>ZJjR\y3.B#&' 4r}J4}\T uF;b4uR~X iqI7w7w7w7wwǖ>뫗v"nXZxmn\K--tIZBU7Ra7~z[}}# 09DC$1{!xJ/3r%(d 5Q_ܚҙIbHC"R6Wy bFHܥ\ '8'gx܋ ^aY4J-s <6іľO" < {$"{'̛;Uߒ1/8 ʒP -U!/aXK·HaWJakCCH-恡޽T JeYo`eUh˨^\(!8m6V`Hΰ_y. WgR"`=pQ#3Km}T7]eLg4L{NkXd$IB1b~=ZaҦd}A${][9Ou[R,’x]xlv7^>1xaH _ }=L$Z'PW%ݜ<+sVj93,҇ $bG Zwj +Yw6qoA08 I ъ (֝tž/DL6K;MV{EFo6V෽36=" _`8K_M]bX3;53:"5y|n@|%!n&[Ũ ssD2JzI| |4 O:3;7H6nQ",\Y%_+!o]Y8OxuI0>kXNaC?Br{#ŵmh4L( iL~KtC] |H^Uw$XϴW'_-q%tIxx".yb:kwL6R(R:{@\)a`K ND/wB[LoZ$&;EM~ ^"Ҷ uře^le#I4b'ݴōX,hMLÑBu}ų TaPCEŹnxm^Yj=T60W8~)ʁV?P,*MY+ Z^3B{sX0Oļ\^sn?La.=8cXYrV~0*->`3+n{l+ZKȶ8+ilWwEIJ"%Ng0%9m6uLeDl4 ?R)!m%Z9`V=1niccPJ OX`)W1ՄOZzNP44&O>JLxaj1aV gզٝ$7ygFau/xyBJOZ]}FGȚXw(t(BJ wKݴX>?Њ/>So›ɀ XPpsUI9TD~Nd>MQdRJґu =&z~̥7a{@\r q,D||z['AM}H?Km1aFhb#FrP0\~hu/U :7} d!/k` Xțc@S_EtIp8~L ' ]TW\ABxtTd fC1fVJ#h c1zSX_!e A1Hs!Whtn\CaHU Ft8Z3*Y#F2*mG&~I79t 4Ä$ld Dps<dl9sۈ9P"`")aچ`3bwr]`s8^31Faŷ~(l;b21bHܺ`v_H"1XJ.JguEt037  c!Ĕv7UI,N/x ` 3 u|`EP00a|Ls8hɖàFMQpV#ߛSgYװغ9P*%>gٕa)豪V/7)M ;Ue+=M蕴B*^Ȅq~/Y40 :>1f}7\bGrֻ!-rvMz]EFa[|SwNz폧gݫMjPhxR6/M&E`"eje) C9?YԞrm.4 "GȁW.}Q X\m޺|#UfUox g?&z [MrПgg:>/1]vN1o|jQ#ZuR'M& F8SD~s: Nn"))pj+彜rAvyh䔟Biv,>oos=.?nsʡݜ{S]|)/E|횗9s _ /}/s{ ̡%%e^^'UWCN9S~ 90W9{s#?W0~W9׃r?=/r qu7?799~A .>>@rC~~rw y9{  wɹNr!(oYNoR8'9B$_*Uy@a uuS~9@yJ*,cs\- {1[?[tO{BX\jzr+^vieq  u*[~|^rN^E`iBWOfq`a\m8ĊI(q0݁Ե'H00l4F oŌk"+H-*|6bZ֠}փD#iZ#XXN΀_Pln=,N7"fG_ζ;/v+4Ytu[ >$ gxr1oN϶{387uu7L25xR Hn2mg1!?gITǓx6e?!D6? iy&b b P|_|aڋOʜ ='fsH!L&`[l,)(4v$ѓ]y 0r;'Ʈ](m5|\sEUבU,&J _ B8̈́ri4u`AtN[a>$NSP{Xf@--N;;QG4 hε\a)x<AGR(ʩ+z-ă6 n='IDπiMMf@gUl)VxRDZ9=vļKY =c&u)b9?v"ㅰx/!ZQy|XT ,sD?>K:;s1U)֊_./gwǁMzK69[((& ]a6ьW%$t6#9"Ź oPm<% *`>ߕn (tIw`S fx94ML~4'c.QYcm'#84C>+-lQ޺5qmdxW}҂&:bz:SA\W .+b#(. rd{Goڻ*t1$+nvGD g>6'ك|2=hM(Fْ[0F-?Fu: ﯲAsl2q1j[ +"ۂ K-Ӽ1w։¥"UXJMX,8. sf㿴;(@P 79BuzϷ{<=v7s#g_2ҳU>vį-'yvJ^Su 7tlcb @J\ >DqTt5`GYM`Zkr8ǩc[6mxtz uue!.,0:33HTx.،U\)6r)* XGڢ~&?s^kg7usfE]E>*8Ѝ A\gX3' X<޳sW=?5^6Љe'9anm,eH&}qd.GDI qkm-Ŭ0&iE㨤t`C v_)~ph;߃҈>A wVǰ-YF!&ۅ 7O80Ux-h\}{X^;i,9LgѸ:"?X=<·d'KWܱ0tl#"|fa*HˣŬ"D0Ȯ'Z:tsh{h۟Z THهl*~&T*,{+ЃT~xFK-^ /"@Ԃ+"e})IDy)///(43}E.t^t.+wByֻHg#RI>PoXyx8~']f(FRqO\|=m(>]nbod/=i{{{ՖŠҒ%!nڝ4!ջnݫɊxY0]\}!l4O⍿0146]sPVKGv3HZW'J^R۽7ߺ"f/Oa6HU&s)#+Mm7\e^)Ms9Q2kG q>tgLp -ͱeRZ`l/Z6?3s*