FTC warns 100 organizations about leaked data via P2P

Probe shows sensitive data like health and finance records as well as Social Security numbers have been leaked to file-sharing networks at a range of public and private entities.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Feb. 22, 2010 4:33 p.m. PT

2 min read

The U.S. Federal Trade Commission has notified nearly 100 organizations that data from their networks has been found on peer-to-peer file-sharing networks, the agency said on Monday.

The FTC notices went to private and public entities, including schools and local government agencies and organizations with as few as eight employees to as many as tens of thousands, the FTC said in a statement. The sensitive information about customers and employees that was leaked could be used to commit identity fraud, conduct corporate espionage, and for other crimes.

The FTC did not name the organizations involved. It said it has opened nonpublic investigations of other companies that have had data exposed on peer-to-peer networks. Data can be exposed when the file-sharing settings are not configured properly, enabling anyone with access to that peer-to-peer network.

"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk. For example, we found health-related information, financial records, and drivers' license and Social Security numbers--the kind of information that could lead to identity theft," FTC Chairman Jon Leibowitz said in the statement. "Companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing."

The FTC notices urged recipients to review their security practices to make sure they are in compliance with the law, and identify customers and employees who are affected and "consider whether to notify them that their information is available on P2P networks." Regulations for whether and how companies are to notify consumers about data breaches vary from state to state.

Data leaks due to the use of peer-to-peer file-sharing at hospitals, government agencies, pharmaceutical companies, and financial institutions among other businesses has prompted congressional hearings and led security experts to question whether the technology can feasibly co-exist with network security.