The FTC is raising the red flag over data breaches caused by P2P software.

A growing problem with the inadvertent disclosure of sensitive information through peer-to-peer (P2P)networks was exposed this week by the U.S. Federal Trade Commission (FTC). In a letter sent to almost 100 organizations, the agency raised the red flag that sensitive customer and employee information from those entities was being shared on public P2P networks where anyone could see it. It warned the organizations that the data could be used by unscrupulous parties to steal identities or perpetrate fraud.

“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk,” FTC Chairman Jon Leibowitz said in a statement.

“For example,” he continued, “we found health-related information, financial records, and drivers’ license and social security numbers–the kind of information that could lead to identity theft.”

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” he added. “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

The FTC’s letter went to both public and private organizations ranging in size from as small as eight employees to publically traded companies with 10,000 or more workers.

Although receipt of the letter doesn’t mean that an organization has broken any laws, the agency cautioned recipients, “It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers.” It added that failure to prevent sensitive information from being shared on a P2P network could violate federal law.

It went on to note that if customer and employee confidential information was exposed on a P2P network, an organization should consider notifying the affected parties. In some cases, it added, such notification is required by state or federal law. Continue reading P2P networks sharing sensitive data

Average per-record cost of a data breach has increased from $138 per victim in 2005 to $204 in 2009.

The customer cost to companies who suffer data breaches increased slightly over the last year, as did the average cost per incident, according to a recent report.

Compared to 2008, when the average per victim cost for a data breach was $202, the cost last year was $204, it was reported in the fifth annual U.S. Cost of a Data Breach study conducted by the Ponemon Institute, of North Traverse City, Mich. and sponsored by the PGP Corporation, of Menlo Park, Calif.

Also increasing a tad was the average cost per incident, to $6.75 million from $6.65 million in 2008. Although the cost of each incident climbed, the actual number of incidents declined by 24 percent, to 498 from 657 in 2008.

Although the direct costs attributed to data breaches declined in 2008, they showed a significant increase in 2009, according to the study, which analyzed 45 cases in 15 industries including financial, retail, healthcare, services, education, technology, manufacturing, transportation, consumer, hotels, leisure, entertainment, marketing, pharmaceutical, communications, research, energy and defense. Cases involved as few as 5000 records to as many as 101,000 records.

Direct, or ex-post, costs atributed to breaches, the researchers found, jumped to $60 from $50 in 2008. “One of the main reasons for an increase in ex-post response costs is due to the increase in legal defense costs,” they maintained. “This can be attributed to increasing fears of successful class actions resulting from customer, consumer or employee data loss.”

Continue reading Data breeches increase, legal costs soar

Microsoft set dubious record in 2009.

Microsoft set a dubious record in 2009. In the month of October, it released the most updates (13) to address the most vulnerabilities (34) in the history of the company.

Ironically, if all the updates released by the company during the year were ignored, a user would still have averted more than 70 percent of all attacks launched during the period–if he or she kept their Microsoft Word patches up to date through June 2006. That’s because, according to one researcher, 71 percent of all attacks in 2009 exploited a vulnerability in the company’s word processor that was patched three years ago. Another 13 percent of all attacks exploited a vulnerability on Microsoft Excel that was patched in March 2008.

Since one never knows what vulnerabilities will catch a cracker’s fancy, the wisest course of action is to install patches when they become available, but if you’ve fallen behind in that department, you may want to move the following patches to the top of your to-do list. According to security experts, they’re the most important ones released in 2009, although one was actually introduced in 2008.

One such patch fixes a flaw in the Active Template Library used to build ActiveX controls. ActiveX has long been a juicy target for malware writers because it can be used to automatically download malicious software. In this case, the vulnerability negates certain security patches previously released by Microsoft. This patch for Microsoft Visual Studio allows developers to produce programs with vulnerability-free code.

In 2009, information highwaymen boosted their efforts to compromise Adobe PDF files. Adobe has contributed to efforts to poison its products by acting slowly to address vulnerabilities in them. Last year, the company emulated Microsoft’s action by releasing a monster update aimed at 29 vulnerabilities. Implementing this patch now, though, will just be a stop-gap measure as the most recent Acrobat exploit won’t be tackled until Adobe’s next update expected to be released in January 12. Continue reading Top patches, data breaks of 2009