FTC Warns of Data Breaches from P2P File Sharing

The Federal Trade Commission has warned approximately 100 organizations that their private customer and employee data is being shared on peer-to-peer networks. Businesses need to review and change their security policies to protect such information, the FTC says.

"The Federal Trade Commission has notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared" from their computers via peer-to-peer networks, the FTC said in a release Feb. 22.

"In the notification letters, [PDF] the agency urged the entities to review their security practices"-as well as the practices of any "contractors and vendors" they do business with-"to ensure that they are reasonable, appropriate and in compliance with the law."

"Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure," FTC Chairman Jon Leibowitz said in a statement. "Just as [importantly], companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing."

According to the FTC, "Failure to prevent ... [personal] information from being shared to a P2P network may violate" data privacy and security mandates included in laws such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Federal Trade Commission Act. Besides the 100 organizations it has contacted, "The agency also has opened nonpublic investigations of other companies whose customer or employee information has been exposed on P2P networks," the FTC said.

"What makes this case difficult from an enterprise standpoint is that many of the organizations were probably not aware that their employees were using P2P technologies and putting their data at risk," opined Steve Hurn, CEO of database security vendor Secerno. "With most IT departments understaffed, securing data has become difficult. Many organizations do not know which person or application is accessing data. Without that knowledge and associated built-in protection, they cannot ensure that sensitive data will not be accessed.

"The challenge for these organizations will be notifying those affected, and dealing with the fallout from investigating agencies and compliance organizations," Hurn added.

While the FTC did not specifically name the organizations it notified, the agency said it sent notices to "both private and public entities, including schools and local governments," and that some had "as few as eight employees" while others had "tens of thousands."

"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk," Leibowitz said. "For example, we found health-related information, financial records, and drivers' license and social security numbers-the kind of information that could lead to identity theft."

The FTC also said, "To help businesses manage the security risks presented by file-sharing software, the FTC is releasing new [educational] materials that present the risks and recommend ways to manage them." Some tips for consumers can be found here.