ABN Amro PII Breached Through P2P: Lessons Learned

Much is written about the risks P2P presents to organizations, but many organizations continue to implement P2P technologies, or more accurately allow their personnel to implement them on computers used for business, because they are willing to risk that the threat theories will not materialize within their own organizations.

As is the tendency, most organizations do not implement security safeguards until 1) they get burned themselves; 2) they must do so to be in compliance with applicable laws and regulations; or 3) other organizations similar to them have experienced incidents for the identified theoretical risks.
To date there have really been few actually reported examples of network and information compromises via P2P technologies. However, over the past two weeks it was widely reported that ABN Amro Mortgage Group experienced a privacy breach as a result of one of their employees using a P2P product, Lime Wire.

“The ABN Amro data breach appears to have occurred after a business analyst at the Citigroup unit in Florida — or a member of her family — signed up last year to use a service similar to Lime Wire. By doing so, she appears to have inadvertently exposed many documents from her computer: not just the spreadsheets, but also personal documents such as her r√©sum√© and a Travelocity confirmation of a family trip. It isn’t clear how long the information was online or how far it has spread. The analyst says she was laid off this summer; she says she wasn’t aware of the data breach until she was contacted by a reporter Thursday.”

Now here’s a statistic that should get your attention…
According to the published report, Tiversa indicates 1.3 billion searches are conducted on P2P networks each day, compared to 130 million searches a day on Google!
This incident is a very good example to use within your awareness messages, along with using it as a good case study within your training.
This points out the need for organizations to have strong controls implemented for personally identifiable information (PII), not only within the network perimeter, but also on any endpoints where PII is accessed or stored, most particularly those that are remotely located, such as within the ex-employee’s home.
Many bad things can happen to data, including PII, under the complete control of your personnel if 1) there are inadequate safeguards in place, and 2) if the personnel are not kept aware of security risks and how to use their computers in ways that will not put PII at risk.
If you allow P2P to be used by your personnel, do you have enforced policies and procedures in place providing them the requirements for how to use P2P? Is it possible for personnel to change the P2P settings and subsequently put PII at risk? In most cases it is.
Some of the lessons to learn from this:
* Organizations must provide training and ongoing awareness for information security and privacy issues, such as using P2P.
* Organizations must have policies and procedures in place regarding the use of P2P.
* Mobile PII…basically any PII sent through publice networks and/or stored or accessed on mobile computing devices and mobile storage devices…should be encrypted.

Tags: , , , , , , , , , ,

Leave a Reply