Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/22/2010
01:46 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

FTC Probe Uncovers Widespread Data Breaches Via P2P Networks

Close to 100 organizations have been notified that personal data has been shared

The Federal Trade Commission has notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations' computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud. The agency also has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks. To help businesses manage the security risks presented by file-sharing software, the FTC is releasing new education materials that present the risks and recommend ways to manage them.

Peer-to-peer technology can be used in many ways, such as to play games, make online telephone calls, and, through P2P file-sharing software, share music, video, and documents. But when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network.

"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk. For example, we found health-related information, financial records, and drivers' license and social security numbers--the kind of information that could lead to identity theft," said FTC Chairman Jon Leibowitz. "Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing."

As the nation's consumer protection agency, the FTC enforces laws that require companies in various industries to take reasonable and appropriate security measures to protect sensitive personal information, including the Gramm-Leach-Bliley Act and Section 5 of the FTC Act. Failure to prevent such information from being shared to a P2P network may violate such laws. Information about the FTC's privacy and data security enforcement actions can be found at www.ftc.gov/privacy/privacyinitiatives/ promises_enf.html.

The notices went to both private and public entities, including schools and local governments, and the entities contacted ranged in size from businesses with as few as eight employees to publicly held corporations employing tens of thousands. In the notification letters, the FTC urged the entities to review their security practices and, if appropriate, the practices of contractors and vendors, to ensure that they are reasonable, appropriate, and in compliance with the law. The letters state, "It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers."

The FTC also recommended that the entities identify affected customers and employees and consider whether to notify them that their information is available on P2P networks. Many states and federal regulatory agencies have laws or guidelines about businesses' notification responsibilities in these circumstances.

Samples of the notification letters can be found at: http://www.ftc.gov/os/2010/02/100222sampleletter-a.pdf, http://www.ftc.gov/os/2010/02/100222sampleletter-b.pdf, http://www.ftc.gov/os/2010/02/100222sampleletter-c.pdf. The fact that a company received a letter does not mean that the company necessarily violated any law enforced by the Commission. Letters went to companies under FTC jurisdiction, as well as entities such as banks and public agencies over which the agency does not have jurisdiction.

The FTC appreciates the assistance of the Department of Health and Human Services, the Securities and Exchange Commission, the Federal Reserve Board, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the Office of Comptroller of the Currency.

The new business education brochure " titled Peer-to-Peer File Sharing: A Guide for Business " is designed to assist businesses and others as they consider whether to allow file-sharing technologies on their networks, and explain how to safeguard sensitive information on their systems, and other security recommendations. This information is available at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus46.shtm. Tips for consumers about computer security and P2P can be found at www.onguardonline.gov/topics/p2p-security.aspx.

The Federal Trade Commission works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftccomplaintassistant.gov or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,700 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.

MEDIA CONTACT:

Claudia Bourne Farrell, Office of Public Affairs 202-326-2181

STAFF CONTACT:

Alain Sheer, Bureau of Consumer Protection 202-326-3321

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24100
PUBLISHED: 2021-02-25
Microsoft Edge for Android Information Disclosure Vulnerability
CVE-2021-24101
PUBLISHED: 2021-02-25
Microsoft Dataverse Information Disclosure Vulnerability
CVE-2021-24102
PUBLISHED: 2021-02-25
Windows Event Tracing Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-24103.
CVE-2021-24103
PUBLISHED: 2021-02-25
Windows Event Tracing Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-24102.
CVE-2021-24105
PUBLISHED: 2021-02-25
Package Managers Configurations Remote Code Execution Vulnerability