in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Security: FTC Charges Two Companies P2P Data Leaks

Data breaches.  They come in all forms.  And the Federal Trade Commission (FTC) is going after the irresponsible ones, no matter what form they take.  Earlier this month, the FTC charged two companies with leaking data via P2P networks.  The use of data encryption on files conceivably protects the breach of sensitive data (mind you, that's file encryption and not disk encryption we're talking about).

What is P2P and Why is it a Data Security Concern?

P2P stands for "peer to peer" and refers to a network of computers where data can be exchanged without a central server.  It was the basis for music file exchanges under Napster and other similar programs.  The programs proved to be extremely popular despite their "illicit" undertones.

P2P is also the foundation for Skype, the freemium, encrypted phone service that was bought by Microsoft (and led some to wonder whether it was still a true P2P program when some underlying changes were made).

In a nutshell, P2P is the underlying foundation for some of the world's most popular software packages and services which revolve around information exchange, no matter what type of information it may be.

It's also mature technology, which is why there is already a good list of P2P-related breaches.  A smatter of P2P-focused breaches I've covered in the past:

Of course, using P2P software is no more vulnerable to data breaches than other ways of accidentally leaking information: email, sending faxes to the wrong recipient, etc.  It's a matter of ensuring your settings are configured correctly.

Which is probably why the FTC has charged two companies -- a debt collection agency in Utah and a car dealership in Georgia -- with leaking customer data.

EPN (Checknet)

According to arstechnica.com and other sources, the FTC

alleges that the company allowed its chief operating officer "to install P2P file-sharing software on the EPN computer system, causing sensitive information including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients to be made available to any computer connected to the P2P network."

Also, from ftc.gov (my emphases):

The agency charged that the company did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, such as scanning its networks to identify any P2P file-sharing applications operating on them, and did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks. According to the agency, the failure to implement reasonable and appropriate data security measures was an unfair act or practice and violated federal law.

The settlement order with debt collector EPN bars misrepresentations about the privacy, security, confidentiality, and integrity of any personal information.

Franklin's Budget Car Sales (Franklin Toyota)

The second company,

sells cars and provides financing options for buyers, released information belonging to 95,000 of its customers, including names, addresses, Social Security Numbers, dates of birth, and driver's license numbers.... since 2001, the Franklin's Budget Car Sales (also known as Franklin Toyota) assured users in its privacy and data use policy statement that it maintains "physical, electronic, and procedural safe guards that comply with federal regulations to guard non public personal information." The FTC's charges stand in direct contradiction of that statement, and found that the auto dealer violated the commission's prohibition of "unfair or deceptive acts" in commerce. [arstechnica.com, my emphasis]

FTC Goes After Deceptive Practices

The FTC accuses many companies of deceptive practices.  Well, technically, there isn't a way to get around that.  That's a big part of the FTC's mandate is: to go after companies that engage in unfair or deceptive acts in commerce.  What I mean is that the FTC has gone after many companies that have leaked data for that one reason: promising to keep data safe.

The list is a motley composition of big names and "no names."  For example, you have the two companies above that, I'm assuming, most people have never heard of before.  But, you also have Twitter, Rite Aid, RockYou, and MySpace.

The bottom line: if you're storing customer data -- especially if it's considered to be "sensitive" in nature -- you'd better be protecting it.  Or, if you're not, at least don't promise to do so.  Nobody reads those EULAs anyway, right?  Right?

Riiight.  The correct move, of course, is to ensure that your data security is up to par.


Related Articles and Sites:
http://www.ftc.gov/opa/2012/06/epn-franklin.shtm
http://arstechnica.com/tech-policy/2012/06/ssns-on-p2p-the-feds-found-businesses-that-leaked-private-information/
http://www.bankinfosecurity.com/ftc-highlights-p-to-p-network-risks-a-4841
http://www.pcadvisor.co.uk/news/network-wifi/3362561/ftc-charges-two-firms-with-leaking-customer-data-on-p-p-networks/
http://www.enewspf.com/latest-news/latest-national/34032-ftc-charges-businesses-exposed-sensitive-information-on-peer-to-peer-file-sharing-networks-putting-thousands-of-consumers-at-risk.html

 
<Previous Next>

Data Encryption Software: A Different Kind Of Data Breach Involving Vehicles

Android Phone App Security: App Steals Contactless Credit Card Data

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.