IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

Widespread Data Breach Evidence found on P2P Environments

February 22nd, 2010 · 1 Comment

The FTC sent out letters to nearly 100 organizations advising that customer and / or employee data that is protected by United States’ laws were widely available online.  The release of such information is not new to most – given the early days of Napster when entire hard drives were shared and Quickbook files and more were available to every person with the curiosity to look for them.

The notice stated that personal health records; financial account information; data protected by PCI DSS, HIPAA, and HITECH; and other PII data records were available and discovered by the FTC to be exposed.

These notifications are a great step however, as they provide business with awareness and guidelines on reducing the threat and provide guidance on how to minimize the impact of these data breaches.  Unfortunately, as these file sharing systems go – the data is likely released permanently and the owners of this information will need to establish monitoring and preventive measures moving forward.

A few things suggested by the FTC on protecting sensitive information from being exposed to P2P networks include:

  • Delete sensitive information you don’t need, and restrict where files with sensitive information can be saved.
  • Minimize or eliminate the use of P2P file sharing programs on computers used to store or access sensitive information.
  • Use appropriate file-naming conventions.
  • Monitor your network to detect unapproved P2P file sharing programs.
  • Block traffic associated with unapproved P2P file sharing programs at the network perimeter or network firewalls.
  • Train employees and others who access your network about the security risks inherent in using P2P file sharing programs.

In addition, the use of personal computers and smart devices (PDA, Ipod Touch, Iphone, Android device, iPad, etc…) should be carefully reviewed and their use defined.  The velocity of data creates a need for DLP at multiple points.  As the utility of such devices increases, the need for managing this information and protecting it will also increase.

Thoughts on how to minimize the release to P2P networks?

- James DeLuccia

Tags: Uncategorized

1 response so far ↓

  • 1 lfc_1892 // Jul 5, 2010 at 12:21 am

    Protecting payment systems seems to be high on the agenda but I think this issue needs to be viewed holistically.

    Organization security standards should be enhanced and data should be classified to protect payment data from being leaked purposely/accidentally.

Leave a Comment