What might have been a minor breach of IT policy at Pfizer last year cascaded into a serious security incident when the personal data of 17,000 employees and former employees leaked onto a peer-to-peer network. Connecticut's state attorney general, concerned that state residents were at risk, launched an investigation. At least one former employee filed a lawsuit against the company.
It all started when the spouse of a Pfizer employee used file-sharing software on a company laptop, presumably to swap music or other content with other P2P users. Unknowingly, the laptop user also exposed 2,300 work files, including those containing sensitive Pfizer employee data--names, Social Security numbers, addresses, and bonus information resident on the laptop.
Pfizer isn't the only company to have its sensitive data exposed in this way. A former employee of ABN Amro Mortgage Group last year exposed spreadsheets with personal data on 5,000 customers from a home computer loaded with the BearShare file-sharing program. And last fall, a terrorist threat assessment of Chicago's transit system, completed by Booz Allen Hamilton under contact to the Federal Transit Administration, surfaced on a P2P network.
To gauge the seriousness of the situation, we launched an investigation to see what kind of corporate data could be found on the popular Gnutella network. We discovered spreadsheets, billing data, health records, and more. (See our full report, "Our P2P Investigation Turns Up Business Data Galore".)
Used as intended, file-sharing programs and P2P networks can be a cheap, easy way for people to share content, and they're a popular channel for distributing open source software. Despite their association with illegal music sharing, not all P2P networks are equally dangerous when it comes to business data. The BitTorrent client and protocol, which employ centralized servers, are less prone to inadvertent file sharing than decentralized networks like Gnutella.
It's the improper or careless use of P2P that should worry IT departments. What can go wrong? Users sometimes mistakenly file a spreadsheet in the same folder they store music files or check the wrong box when configuring the P2P client and, voilà!, their corporate documents are out there for everyone to see.
(click image for larger view)