Cigna has been using Tiversa's services since last year. Cigna prohibits use of file-sharing software on company PCs, but CISO Shumard knows that's not enough to stop the problem. With 10 million health plan members and 550,000 partners, Cigna has to worry about file sharing outside its firewall as well.
Cigna used to do its own P2P monitoring, and Shumard's done a bit of the investigative work himself. "I was shocked by some of the information I've seen out there," he says. But Tiversa casts a wider net, and its search-term data can be revealing. Shumard was surprised to learn that an anonymous P2P user was searching for information on an obscure Cigna business interest. "Why would someone be searching for one of those names?" he says. "Somebody's obviously fishing for something." He suspects a competitor was trying to dredge up information on the company.
To better understand the movement of private data over P2P networks, Tiversa has conducted a series of "honey pot" experiments in which it exposed files, then waited to see what would happen. One test involved a $50 cash card with the file name creditcardnumbers.doc. Within a day, the file was grabbed 28 times and the funds depleted. Other honey pots were set up with executive documents, HR files, IT-related material, and consumer data. The end result was always the same--wide and rapid file distribution on P2P networks around the world.
Cigna's Shumard knows the danger of a P2P leak
The researchers collected 114,000 bank-related files. Their biggest catch was a spreadsheet with 23,000 business accounts, including names, addresses, account numbers, and titles.
They also assessed each bank's "digital footprint," a measure of the words and phrases associated with a bank that might turn up documents in a P2P search. Not surprisingly, banks with names that have something in common with popular song titles or musicians are at increased risk of an internal document surfacing during a P2P search. For example, PNC bank shares an abbreviation with a rapper who goes by the same initials, making it more likely that a bank document might appear in search results for the rapper's work.
The Dartmouth researchers offer some useful advice to IT departments looking for answers to the P2P problem:
- Educate employees, customers, suppliers, and contractors on the dangers of P2P sharing.
- Create home-use policies to lower the risk of leaks from home-office PCs.
- Introduce file-naming conventions that are less likely to be found and spread over P2P networks.
The evidence shows that not everyone is using P2P networks for music and video sharing. Shady characters are searching for financial records, Social Security numbers, personal data, and even documents that could be used to knock out a subway or undermine a company. "We see thousands of information concentrators. They're specialists," says Chris Gormley, chief operating officer at Tiversa.
Just what are these people doing with the treasure trove of digital content they collect? That's an open question, says Gormley. And it's one your company would be better off not having to answer.
Photograph by Erica Berger
Our P2P Investigation Turns Up Business Data Galore