U.S. Supreme Court Judge Data Exposed Via P2P
The Washington Post today ran a story I wrote on a data breach of a local investment firm that exposed the names, birth dates and Social Security numbers of some of the Washington area's most powerful attorneys, including Supreme Court Justice Stephen Breyer. I was able to trace the breach back to a former employee who accidentally shared the company's client list while browsing for files on the LimeWire peer-to-peer network.
I'm calling attention to this story because this morning I heard from reader Christopher Lynt, a patent attorney from Virginia whose personal data was included in the file exposed via P2P. He told me that last July, an identity thief used his SSN and birth date to have $1,000 wired to Mexico from Lynt's bank and credit accounts. His tale caught my attention because I'd heard a nearly identical account from another attorney I contacted for today's story who had asked not to be named in the piece.
One interesting detail that didn't make it into the final edition of the paper this morning involves the source of my story. When he first tipped me off on how to find the data on LimeWire, he told me he downloaded the file from a computer those Internet address traced back to Tijuana, Mexico. When he selected "browse host" to check out the rest of the files being shared by that user, that's when he discovered dozens of similar documents, including tax returns from different U.S. states, as well as lists of credit, debit and bank account numbers.
Lynt said the thief used an online mortgage application system to obtain a credit report listing his various accounts. Investigators told him that in convincing the bank employee to wire the funds, the thief claimed he was on vacation in Mexico and had lost his wallet. The bank ultimately refunded Lynt the fraudulent wire transfer, but in the meantime a check he wrote to the Virginia Bar Association bounced.
"That was pretty embarrassing," Lynt said. "This guy really knew how to work the system."
Then, in March, someone using the same technique tried to withdraw cash from his accounts again, but the transaction failed because Lynt had since protected all of his accounts with difficult-to-guess passwords. Lynt said he was contacted recently by a fraud investigator from his mortgage company, who was looking into 75 to 80 potentially related cases.
A handful of readers also contacted me today to complain that my story was trying to demonize P2P use. Nothing could be further from the truth. In fact, I think LimeWire is among the leaders in P2P software makers for making it more difficult for users to unknowingly share private data (at least in the latest versions of the software). What's more, I'm actually a big fan of P2P: I find plenty of interesting and useful information on these networks.
All kidding aside, far too many people who use P2P software fail to take the one or two minutes required to ensure they're not inadvertently sharing private or proprietary data.
Yes, there are plenty of companies out there who offer hardware and software solutions to businesses who want to prevent employees from using P2P software. But a far simpler and less expensive approach is for companies not to let their employees run their computers using all-powerful administrator accounts, which have full rights to install software and monkey with important security and file integrity settings on the machine (obligatory plug for the limited user approach here).
It's fine for companies to have policies clearly stating that employee use of P2P software is a potentially career-ending offense, but once that company's data is up on P2P networks, it becomes extremely hard to stuff that genie back into the bottle.
July 9, 2008; 4:40 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Patch (The Entire Internet) Tuesday
Next: Ghosts of Java Haunt Users
Posted by: John Moore | July 9, 2008 11:53 PM | Report abuse
Posted by: R | July 10, 2008 3:52 AM | Report abuse
Posted by: TJ | July 10, 2008 9:30 AM | Report abuse
Posted by: Bk | July 10, 2008 11:07 AM | Report abuse
Posted by: Tom Sydnor | July 10, 2008 11:44 AM | Report abuse
Posted by: Charles Decker | July 10, 2008 12:00 PM | Report abuse
Posted by: CHRISTOPHER LYNT | July 10, 2008 4:41 PM | Report abuse
Posted by: Robert Holleyman, BSA | July 11, 2008 10:53 AM | Report abuse
Posted by: Anonymous | July 12, 2008 4:14 AM | Report abuse
Posted by: ELois Poole-Clayton | July 15, 2008 4:54 PM | Report abuse
The comments to this entry are closed.