Our P2P Investigation Turns Up Business Data Galore

WHO'S TO BLAME?
As I honed my technique, I got more reliable results. The search term "minutes" led me to what looked like the computer of a highly placed staffer of a state political party. There were files with the home and cell phone numbers of senators, confidential meeting notes, and fund-raising plans.

I came across a veterinary clinic, with listings of pets and their owners' billing information. A medical office revealed spreadsheets listing patients' names along with their HIV and hepatitis status. Wow. In between the vacation photos, there were piles of resumés, and one computer had a slew of court documents regarding a sticky divorce.

Among all this, a pattern emerged. Someone was sharing a large number of design specifications and orders for clothing, each labeled with the major retailer that had ordered the designs, along with correspondence between the suppliers and factories concerning the orders.

Another person appeared to be the owner of a cell-tower consulting firm. In front of me were files with site surveys and feasibility studies of various tower locations for several national carriers. Were I so inclined, I could probably buy up properties for which no suitable alternative locations were mentioned, then hold the phone company hostage for a high price.

After finding the RFPs and bids of a small consulting firm working for several government agencies, it hit me. Most large companies have security measures to prevent data leaks, but they work with many small suppliers and partners, entrusting them with confidential data. And it was mostly these small businesses, probably without any IT support or formal security policies, that were leaking the large companies' data.

Based on what I was able to find with simple tools in a short time, it's clear that there's really a lode of important corporate data coursing through P2P networks. It's essential that companies not just implement strong policies and pre- ventive measures covering their own computers and networks, but also address those used by employees at home and the practices of partners and suppliers.

Avi Baumstein is an information security analyst at the University of Florida's Health Science Center.
Write to him at [email protected].

Photograph by Erica Berger

Return to the story:
Your Data And The P2P Peril