The FTC is raising the red flag over data breaches caused by P2P software.

A growing problem with the inadvertent disclosure of sensitive information through peer-to-peer (P2P)networks was exposed this week by the U.S. Federal Trade Commission (FTC). In a letter sent to almost 100 organizations, the agency raised the red flag that sensitive customer and employee information from those entities was being shared on public P2P networks where anyone could see it. It warned the organizations that the data could be used by unscrupulous parties to steal identities or perpetrate fraud.

“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk,” FTC Chairman Jon Leibowitz said in a statement.

“For example,” he continued, “we found health-related information, financial records, and drivers’ license and social security numbers–the kind of information that could lead to identity theft.”

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” he added. “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

The FTC’s letter went to both public and private organizations ranging in size from as small as eight employees to publically traded companies with 10,000 or more workers.

Although receipt of the letter doesn’t mean that an organization has broken any laws, the agency cautioned recipients, “It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers.” It added that failure to prevent sensitive information from being shared on a P2P network could violate federal law.

It went on to note that if customer and employee confidential information was exposed on a P2P network, an organization should consider notifying the affected parties. In some cases, it added, such notification is required by state or federal law. Continue reading P2P networks sharing sensitive data