Claims by Tiversa that WikiLeaks has scoured peer-to-peer networks in the past underscored the data leakage problems facing many organizations.
Allegations against WikiLeaks have spotlighted a key avenue for data leaks:
peer-to-peer (P2P) networks.
According to Tiversa, which specializes in monitoring P2P networks,
WikiLeaks has mined popular applications such as Kazaa and LimeWire for data in
the past-despite statements from WikiLeaks that it does not actively search for
information. As an example, Tiversa contends that on Feb. 7, 2009, it detected four
machines in Sweden
searching and downloading information via P2P.
Those searches ultimately led to a computer in Hawaii
with a survey of the Pentagon's Pacific Missile Range Facility there, Bloomberg
. Tiversa reportedly captured the download of the PDF file by
one of the Swedish computers. According to Bloomberg News, the document exposed
details of infrastructure changes involved in adding a new sensor system.
The document was reportedly renamed and posted on WikiLeaks in April 2009.
There were other examples as well, such as Army intelligence documents
posted by WikiLeaks in 2009 that were exposed
to searching on P2P networks
in September 2008. Then there was
a spreadsheet posted by WikiLeaks in late 2009 detailing potential targets
of terrorism in Fresno County, Calif.
The document was reportedly exposed accidentally by a California
state employee in August 2008.
WikiLeaks denied Tiversa's claims in an e-mail to Bloomberg News.
Regardless, this was hardly the first time P2P networks were found to be home
to sensitive information. In February 2010, the U.S.
Federal Trade Commission notified
nearly 100 organizations that personal
information, including customer and employee data, had been shared from the
organizations' computer networks and was available on P2P file-sharing
"The massive exposure of sensitive data on P2P networks is not a new
issue; however, the awareness of its breadth is," said Scott Harrer, brand
director at Tiversa.
Organizations of every size need to be diligent about file-sharing use, he
said, adding that large brands with armies of suppliers or a dispersed
workforce need to have proactive tools in place to detect and mitigate data
loss via P2P.
"Over 90 percent of the data disclosures that we see on P2P emanate
from suppliers, partners and remote employees," he said.
Some organizations look to data leak prevention (DLP)
technologies to solve the problem.
"Historically, the way to deal with protecting against data leaks over
P2P was simply to shut it down with old-style application control
products," said Robert Hamilton, senior product marketing manager for DLP
at Symantec. "Now, with the consumerization of IT and the blending of
work and personal life, it has become harder to simply turn off P2P.
Increasingly, people are expecting and asking for access to P2P applications
and are using them on personal time. So the new goal is to allow employees to
use the P2P applications, just not with confidential data."
There is however no shortage of organizations willing to ignore
the issue of insider data loss
or theft, said Mike Spinney, a senior
privacy analyst at the Ponemon Institute.
"The focus is too much on technology and not enough on people," he
said. "In 2009 we did a study on data loss that occurs, for example, when
employees are fired, laid off or voluntarily change jobs. It was very
high. Fifty-nine percent of those with whom we spoke said they took
information with them when they left a job.
"Granted, some people will do this anyway-they will regard proprietary
information as their parting gifts-but for most people it wasn't a malicious
act but simple ignorance," he continued. "They weren't aware of any
policy forbidding them from taking the information, and they felt entitled
because they had a role in creating it. So, I can't stress enough the
importance of creating meaningful use and governance policies, communicating the
policies effectively across all corporate strata, and enforcing the policies."