Educause Security Discussion mailing list archives
Re: P2P sensitive data searches
From: "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>
Date: Thu, 24 Apr 2008 11:04:28 -0400
I am not sure about the issues with pursuing; however, perhaps one approach would be to find the host that is serving up the data and contact the security contact for that network. Organizations that keep personal information have a responsibility to those individuals to keep that information secure. If they do not take action, and the information seems legit, it seems it would be appropriate to hand it over to authorities to investigate. I don't believe that contacting the individual yourself would be appropriate. If it was my personal information, I would hope that someone that had found it would make the organization get their act together and fix the issue. I would personally like to know that my information was out there. However, as an administrator I would rather know before my users so I knew how to answer the phone calls. Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu <http://www.fairmontstate.edu/> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Consolvo, Corbett D Sent: Thursday, April 24, 2008 10:17 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] P2P sensitive data searches Scenario: We have begun doing investigation in to whether any sensitive data from our institution (Texas State University) is showing up on P2P networks. We are doing this right now through keyword searches. Issue: We are coming across sensitive/confidential personal information (SSN, Drivers License, etc.). While a lot of this seems to be fake (perhaps a honeypot situation), a small amount of legitimate information looks to be accidentally shared. I feel that we have an ethical obligation to at least make an attempt to either pass the information to an appropriate agency or contact the individual. Does anyone have any suggestions or thoughts about the path to take as well as any possible issues with pursuing this? Thanks for any input, Corbett Consolvo Texas State University Cc72 () txstate edu
Current thread:
- P2P sensitive data searches Consolvo, Corbett D (Apr 24)
- <Possible follow-ups>
- Re: P2P sensitive data searches Jenkins, Matthew (Apr 24)
- Re: P2P sensitive data searches Basgen, Brian (Apr 24)
- Re: P2P sensitive data searches Consolvo, Corbett D (Apr 24)
- Re: P2P sensitive data searches Kathy Bergsma (Apr 24)