Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

P2P Leads to Major Leak at Citigroup Unit

ABN Amro employee exposes personal data on 5,000 mortgagees by installing BearShare

Sep 24, 2007 | 02:42 AM

By Tim Wilson
DarkReading

In another instance of security leaks caused by peer-to-peer file sharing software, Citigroup's ABN Amro mortgage unit Friday reported that a former employee has exposed three spreadsheets containing more than 5,000 Social Security numbers and other personal details about customers.

Tiversa, a Pittsburgh company that offers data-leakage protection services, traced the origins of the ABN data to a Florida computer with the BearShare software installed, according to a report.

BearShare, LimeWire, and scores of other peer-to-peer (P2P) programs are designed to distribute and find songs, movies, and other files over the Gnutella file-sharing network. Several other P2P-related data leaks have been reported this year, including the loss of some 17,000 names and Social Security numbers at Pfizer. (See Pfizer Falls Victim to P2P Hack.)

Tiversa Chief Executive Robert Boback said Tiversa had yet to perform a full analysis to see how far the data had spread worldwide, but found evidence the files already had moved beyond the former employee's computer.

"There is no question in my mind that... identity thieves have these files, and if they haven't already, they will be acting on them very soon," Boback said Friday. Tiversa was investigating the breach on behalf of a reporter for Dow Jones Newswires, which reported on the leakage earlier.

Boback said more than 1 billion searches are conducted daily over peer-to-peer systems. A good number involve bank names, the word "password," and other terms that appear to be attempts by would-be thieves to dig up other people's sensitive documents, he said.

Citigroup says it's investigating the leak.

— Tim Wilson, Site Editor, Dark Reading


Subscribe to RSS










Bugs
ENTERPRISE VULNERABILITIES
Vulnerability:cxf
Published:2010-08-19
Severity:High
Description:Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632.
Vulnerability:libvirt
Published:2010-08-19
Severity:Medium
Description:Red Hat libvirt, possibly 0.6.1 through 0.8.2, looks up disk backing stores without referring to the user-defined main disk format, which might allow guest OS users to read arbitrary files on the host OS, and possibly have unspecified other impact, via unknown vectors.
Vulnerability:libvirt
Published:2010-08-19
Severity:Medium
Description:Red Hat libvirt, possibly 0.7.2 through 0.8.2, recurses into disk-image backing stores without extracting the defined disk backing-store format, which might allow guest OS users to read arbitrary files on the host OS, and possibly have unspecified other impact, via unknown vectors.
Vulnerability:libvirt
Published:2010-08-19
Severity:Medium
Description:Red Hat libvirt, possibly 0.6.0 through 0.8.2, creates new images without setting the user-defined backing-store format, which allows guest OS users to read arbitrary files on the host OS via unspecified vectors.
Vulnerability:libvirt
Published:2010-08-19
Severity:Low
Description:Red Hat libvirt 0.2.0 through 0.8.2 creates iptables rules with improper mappings of privileged source ports, which allows guest OS users to bypass intended access restrictions by leveraging IP address and source-port values, as demonstrated by copying and deleting an NFS directory tree.


Briefing Centers
POWERFUL INFORMATION
AT YOUR FINGERTIPS
(SPONSORED LINKS)