Our P2P Investigation Turns Up Business Data Galore
We search the Gnutella network and find hordes of personal and business information that could ruin more than a few lives and give lots of companies PR nightmares.
WHO'S TO BLAME?
As I honed my technique, I got more reliable results. The search term "minutes" led me to what looked like the computer of a highly placed staffer of a state political party. There were files with the home and cell phone numbers of senators, confidential meeting notes, and fund-raising plans.
I came across a veterinary clinic, with listings of pets and their owners' billing information. A medical office revealed spreadsheets listing patients' names along with their HIV and hepatitis status. Wow. In between the vacation photos, there were piles of resumés, and one computer had a slew of court documents regarding a sticky divorce.
Among all this, a pattern emerged. Someone was sharing a large number of design specifications and orders for clothing, each labeled with the major retailer that had ordered the designs, along with correspondence between the suppliers and factories concerning the orders.
Another person appeared to be the owner of a cell-tower consulting firm. In front of me were files with site surveys and feasibility studies of various tower locations for several national carriers. Were I so inclined, I could probably buy up properties for which no suitable alternative locations were mentioned, then hold the phone company hostage for a high price.
After finding the RFPs and bids of a small consulting firm working for several government agencies, it hit me. Most large companies have security measures to prevent data leaks, but they work with many small suppliers and partners, entrusting them with confidential data. And it was mostly these small businesses, probably without any IT support or formal security policies, that were leaking the large companies' data.
Based on what I was able to find with simple tools in a short time, it's clear that there's really a lode of important corporate data coursing through P2P networks. It's essential that companies not just implement strong policies and pre- ventive measures covering their own computers and networks, but also address those used by employees at home and the practices of partners and suppliers.
Avi Baumstein is an information security analyst at the University of Florida's Health Science Center.
Write to him at [email protected].
Photograph by Erica Berger
Return to the story:
Your Data And The P2P Peril
About the Author
You May Also Like
2024 InformationWeek US IT Salary Report
May 29, 20242022 State of ITOps and SecOps
Jun 21, 2022