The Federal Trade Commission (FTC) has notified almost 100 organisations that personal information has been shared from its networks and is available on peer-to-peer (P2P) file-sharing networks.
The notices went to both private and public entities, including schools and local governments, and the entities contacted ranged in size from businesses with as few as eight employees to publicly held corporations employing tens of thousands.
In the letter, from associate director Maneesha Mithal, the recipient is told that ‘at least one computer file containing sensitive personal information from or about your customers and/or employees has been shared from your computer network, or the network of one of your service providers, to a peer-to-peer fire sharing network'.
The receipient is then told the name of a file, and are instructed that the ‘failure to prevent such information from being shared to a P2P network may violate laws enforced by the Commission'.
They are also recommended that they ‘identify the customers and employees whose information has been exposed by taking appropriate steps to determine which of your files have been shared to P2P networks'.
FTC chairman Jon Leibowitz, said: “Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk. For example, we found health-related information, financial records, and drivers' licence and social security numbers - the kind of information that could lead to identity theft.
“Companies should take a hard look at their systems to ensure that there are no unauthorised P2P file-sharing programs and that authorised programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”
Tom Kelchner, research centre manager at Sunbelt Software, identified that the data could be used for identity theft or fraud, and claimed that the groups that received the letters included schools, local governments, large corporations and small businesses.
Steve Hurn, CEO of Secerno, claimed that the announcement came as ‘no surprise to those of us in the security industry'.
He said: “What makes this case difficult from an enterprise standpoint is that many of the organisations were probably not aware that their employees were using P2P technologies and putting their data at risk. With most IT departments understaffed, securing data has become difficult.
“Many organisations do not know which person or application is accessing data. Without that knowledge and associated built-in protection, they cannot ensure that sensitive data will not be accessed. The challenge for these organisations will be notifying those affected, and dealing with the fallout from investigating agencies and compliance organisations.”