Citigroup Customer Data Leaked on LimeWire

Names, social security numbers and credit information of 5,208 Citigroup customers were leaked by an employee to LimeWire P2P file-sharing network.

Citgroup has confirmed that its investigating a data breach involving the names, Social Security numbers and credit information of 5,208 customers leaked by an employee of its ABN Amro Mortgage Group unit onto the LimeWire peer-to-peer file-sharing network.

Tiversa, a company that monitors P2P networks on behalf of clients, told eWEEK that it found Excel spreadsheets from the desktop of a financial analyst at ABN Amro Mortgage Group running LimeWire. Although Tiversa found over 10,000 files, deduplication revealed only 5,208 unique Social Security numbers, along with names and what type of mortgage each customer had: conventional, 30-year or conforming, for example.

Tiversa performed the review at the request of a Dow Jones Newswire reporter investigating the story.

The information is likely to have been exposed to millions of LimeWire users, given that there are at least 10 million nodes online in a P2P file-sharing network at any point in time, said Chris Gormley, Tiversas chief operating officer.

"As an identity thief, [that gives you] the keys to [those individuals] digital life," Gormley said.

According to a Dow Jones Newswire report, the ABN employee responsible for posting the data signed up last year to use a LimeWire-like P2P service and inadvertently exposed not only the spreadsheet but also personal documents, including her resume and a Travelocity confirmation of a family trip. The woman told the news service that she was laid off this summer and wasnt aware of the breach before Dow Jones contacted her on Sept. 20.

Extent unknown

Due to the nature of P2P networks, the extent of the datas dispersal is unknown. Tiversa said the data wasnt online as of Sept. 20, but nodes containing the data could pop up at any time.

Dow Jones Newswires staff viewed the spreadsheets using LimeWire, which can be used to share music, movies and other types of files via the P2P file-sharing network—an architecture in which each member computer serves as both a client and a server. Thats in contrast to the World Wide Web, which works on a client/server model.


Data leaks mean dollars. Click here to read more.

The content on the WWW doesnt go away when individual nodes shut down. In contrast, when a member of a P2P network signs off, any content on that system is no longer available to the network at large. What that means is that somebody searching for terms leading to the breached ABN data could well come up empty-handed at one moment, but the breached data could pop up somewhere else if a user who has the file happens to log into the network.

Searches done by individual users on LimeWire might not detect the breached data for yet another reason: The P2P network is simply too vast to be searched. An individual can search a maximum of perhaps 4,000 nodes, Gormley said, before the vast network would grind the search to a halt.



The reason why Dow Jones turned to Tiversa and why the company was able to search the entire network was that Tiversa uses proprietary algorithms that outline the periphery of the network, he said. The company monitors some 1.3 billion P2P searches daily, including the search terms involved. If somebody is searching on a term associated with a credit card, Tiversa is poised to pick up on it. To get an idea of that reach, Google transacts some 130 million searches daily.

P2P breach connections

P2P file-sharing networks are being implicated in a growing number of data breaches, many inadvertent. In June, the personal information of 17,000 current and former Pfizer employees was exposed after an employee installed unauthorized file-sharing software on her company-provided laptop for use at home. Social Security numbers and other data on some 15,700 people were copied, the company said, in letters sent to affected employees and to state attorneys general.

Earlier in September, a confidential terrorist threat assessment on Chicago done by Booz Allen Hamilton also made it out to a public file-sharing network. A reporter with Fox News in Chicago reported that he used LimeWire to access the document, which was authored in 2002.

Also in September, a Seattle man, Gregory Thomas Kopiloff, was arrested in what the Justice Department said was the first case brought against someone for using file-sharing data to commit identity theft.

In July, the issue came to a head in Congress in a hearing over inadvertent file sharing over P2P networks.

It cited its own investigation using LimeWire and found that running common searches over a one-month period easily turned up bank records, medical records, tax forms, federal workers credit card numbers, attorney-client communications, corporate strategy documents for Fortune 500 companies, confidential corporate accounting documents, government emergency response plans and even classified military operation orders.

Government Reform Committee Chairman Henry Waxman said at the time that he was considering new laws aimed at addressing the problem, given the possible frightening scenario of foreign governments, terrorists or organized crime getting their hands on documents that could reveal national secrets.

A Citigroup spokesperson told eWEEK that the company is investigating the data breach.

"Citis information security standards require that confidential information be stored on Citi-managed devices," he said in a prepared statement. "Protecting customer information remains a priority at Citi and we remain fully committed to physical, electronic and procedural safeguards to protect personal information."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.