Sometime late last year, an employee of a McLean, Va., investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer. In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.
That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm’s clients, including Supreme Court Justice Stephen G. Breyer.
The breach was not discovered for nearly six months. A reader of washingtonpost .com’s Security Fix blog found the information while searching LimeWire in June.
Services such as LimeWire, known as peer-to-peer networks, link computers directly, allowing users to swap files with other users without the need for a central website to manage the exchange.
What users may not be aware of is that the software that facilitates file sharing may be configured to allow access to a portion, if not all, of a user’s documents.
Robert Boback, chief executive of Tiversa Inc., the company hired by Wagner to help contain the data breach, said such breaches are hardly rare. About 40% to 60% of all data leaks take place outside of a company’s secured network, usually as a result of employees or contractors installing file-sharing software on company computers.
“We’ve seen a lot of instances where a company will be working on a product that’s not even released yet, and the diagrams for that product are already out on the Net,” Boback said. “The individuals on this list are at a very high risk, almost imminent, of identity theft.”
Tiversa found that more than a dozen LimeWire users in places as far away as Sri Lanka and Colombia downloaded the list of personal data from the Wagner network.
“To me, this was devastating,” said Phylyp Wagner, founder of the investment firm. “I didn’t even know what peer-to-peer was. I do now.”
A spokesman for Breyer said the justice had no comment on the security breach.