FTC Uncovers ‘Widespread Data Breaches’; Sends Letters To Nearly 100 Organizations, Opens ‘Non-Public Investigations’
Saying it has identified nearly 100 organizations that lost control of personal information they maintain on employees, customers or others, the FTC has notified the entities to tighten security on peer-to-peer (P2P) file-sharing networks.
At the same time, the agency said it has opened “non-public investigations” of companies whose customer or employee information has been exposed on P2P networks.
The FTC did not name the organizations that lost control of data, describing them as a mix ofÂ schools, local governments, small businesses and “corporations employing tens of thousands” of people.
In numerous cases, the FTC said, data maintained by the organizations was shared over their computer networks and now “is available on P2P networks” on which users play games, make phone calls, and share music, video and documents.
“[W]e found health-related information, financial records and driversâ€™ license and Social Security numbers — the kind of information that could lead to identity theft,â€ said FTC Chairman Jon Leibowitz.
The FTC provided three examples of letters sent to the organizations.
A letter sent to companies begins, “The Federal Trade Commission (FTC) is sending you this letter because at least one computer file containing sensitive personal information from or about your customers and/or employees has been shared from your computer network, or the network of one of your service providers, to a peer-to-peer file sharing (P2P) network.
“One such file is *******. The information is now available to users of the P2P network, who could use it to commit identity theft or fraud. Your failure to prevent such information from being shared to a P2P network may violate laws enforced by federal, state, or local law enforcement agencies.”
‘Hard Look’ Advised
â€œCompanies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” Leibowitz said.Â “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.â€
In litigation in recent years, the FTC brought privacy-breach actions against well-known companies such as CVS Caremark Corp., the largest pharmacy chain in the United States; Genica Corp., operators of Computer Geeks Discount Outlet and geeks.com; and Premier Capital Lending Inc.
Those cases all have been settled.
In the PremierCapital case, the FTC alleged the company allowed a third-party home seller to access data without taking reasonable steps to protect it.
“A hacker compromised the data by breaking into the home sellerâ€™s computer, obtaining the lenderâ€™s credentials, and using them to access hundreds of consumer reports,” the FTC said.
In the Computer Geeks case, the FTC alleged the company stored sensitive customer information in unencrypted text on its corporate computer network.
Hackers stole the information, the FTC said.
Meanwhile, in the CVS case, the FTC said that it opened its investigation after reading newspaper reports that the company was “throwing trash into open [D]umpsters that contained pill bottles with patient names, addresses, prescribing physiciansâ€™ names, medication and dosages; medication instruction sheets with personal information; computer order information from the pharmacies, including consumersâ€™ personal information; employment applications, including Social Security numbers; payroll information; and credit card and insurance card information, including, in some cases, account numbers and driverâ€™s license numbers.”
Visit the FTC site for info on previous data-breach cases.