Educause Security Discussion mailing list archives

Re: P2P sensitive data searches

From: "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>
Date: Thu, 24 Apr 2008 11:04:28 -0400

I am not sure about the issues with pursuing; however, perhaps one
approach would be to find the host that is serving up the data and
contact the security contact for that network.  Organizations that keep
personal information have a responsibility to those individuals to keep
that information secure.  If they do not take action, and the
information seems legit, it seems it would be appropriate to hand it
over to authorities to investigate.

 

I don't believe that contacting the individual yourself would be
appropriate.  If it was my personal information, I would hope that
someone that had found it would make the organization get their act
together and fix the issue.  I would personally like to know that my
information was out there.  However, as an administrator I would rather
know before my users so I knew how to answer the phone calls.

 

Matt

 

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu <http://www.fairmontstate.edu/>


 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Consolvo, Corbett D
Sent: Thursday, April 24, 2008 10:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] P2P sensitive data searches

 

Scenario:

  We have begun doing investigation in to whether any sensitive data
from our institution (Texas State University) is showing up on P2P
networks.  We are doing this right now through keyword searches.

 

Issue:

  We are coming across sensitive/confidential personal information (SSN,
Drivers License, etc.).  While a lot of this seems to be fake (perhaps a
honeypot situation), a small amount of legitimate information looks to
be accidentally shared.

 

I feel that we have an ethical obligation to at least make an attempt to
either pass the information to an appropriate agency or contact the
individual.  Does anyone have any suggestions or thoughts about the path
to take as well as any possible issues with pursuing this?

 

Thanks for any input,

Corbett Consolvo

Texas State University

Cc72 () txstate edu

Current thread:

P2P sensitive data searches Consolvo, Corbett D (Apr 24)
- <Possible follow-ups>
- Re: P2P sensitive data searches Jenkins, Matthew (Apr 24)
- Re: P2P sensitive data searches Basgen, Brian (Apr 24)
- Re: P2P sensitive data searches Consolvo, Corbett D (Apr 24)
- Re: P2P sensitive data searches Kathy Bergsma (Apr 24)