Personal information on a few thousand ABM Amro Mortgage Group (unit of Citigroup) customers has been leaked out to anybody in the world through a peer-to-peer (P2P) software. The names, Social Security numbers, and mortgage information of some 5,200 people which was stored on an employee laptop was shared via the LimeWire P2P software.
While it is unclear how many times the information has been downloaded over the P2P network, the fact that a computer containing a large amount of personal information was allowed to run P2P software is inexcusable. In all likelihood, Citigroup (or ABM Amro Mortgage) have some sort of restrictions (administrative policy or an IT set of software restrictions) which prohibit P2P sharing in general and in all likelihood the employee who used the laptop in question did so without authorization. Even so, the problem remains at Citi and their IT security personnel for failing to prevent or detect such software earlier. Placing the blame on the individual user is not an excuse as it is Citi’s reputation (and possibly checkbook after claims by these 5,200 affected people are filed) on the line.
According to Pike & Fischer, in testimony at a July House subcommittee hearing on P2P risks, LimeWire Chairman Mark Gorton said that a "small fraction" of users override safe default settings that come with the program, despite the company’s warnings and precautions. The company is working on a "new generation of user interfaces and tools designed with neophyte users in mind," making it "even easier for users to see which files they are sharing and to intuitively understand the controls available to them," he said.
Even if LimeWire is successful in preventing users from ‘inadvertently’ sharing their business documents folders, a company which takes its intellectual property and information security and privacy seriously should, in most cases, take proactive steps to weed out P2P software from its networks.
In malaysia, if a person were to make an unauthorize access is pleaded guilty under Section 3(1): A person shall be guilty of an offence if (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorized; and (c) he knows at the time when he causes the computer to perform the function that that is the case.
No comments:
Post a Comment