The social security numbers and other personal information of more than 5,200 ABN AMRO Mortgage Group borrowers were inadvertently opened to access by anyone using an online file sharing network as a result of actions by a former employee.
Although the computer was taken off-line after the security breach was discovered, "the information could still be out there" because of the sharing, MortgageDaily.com was told by Chris Gormley, chief operating officer at Tiversa Inc., a Pittsburgh area company that provides technology and investigation services regarding data breaches. Tiversa found the breach after a caller raised questions indicating a security breach.
The breach also included mortgage types and loan amounts for each borrower, he said.
While file sharing, also know as peer-to-peer, should be limited to items in a specially created separate shared folder, "it's not easy to do that," Gormley said, and in this case every file on the computer, including the mortgage files on 5,204 mortgage borrowers were "viewable by anyone" using the BearShare P2P file sharing network. Viewers can then copy and pass on the information, which is what often happens after a security breach is closed, he explained.
Tiversa didn't take the time and expense to track any sharing that may have taken place because ABN AMRO is not one of its clients, Gormley said.
ABN AMRO's parent, Citigroup Inc., said in a statement e-mailed to MortgageDaily.com that it has retrieved the customer information from the source computer and is now "taking appropriate steps to identify, notify and protect the customers involved, including offering complimentary credit monitoring services.
"Protecting customer information remains a priority at Citi," the statement stressed, "and we remain fully committed to physical, electronic and procedural safeguards to protect personal information."
While the BearShare file sharing network is intended to be used by consumers who want to find others from whom they can download specific music recordings or movies by title or artist, participants in the P2P program can inadvertently open their entire document files to users, Gormley explained. Thus while most persons type in the name and artist of a specific recording being sought for download direct from other users, identity thieves can type in requests for personal information.
"People are out there trolling all the time," he said, pointing out that in a recent two week period there were 118,000 searches beginning with the word "credit," including 56,000 searches using the term "credit cards." Why would such searches take place on a file sharing network devoted to music and movies except for identity theft, he said.
In file sharing network exchanges, files do not go through any central computer server in the middle of the exchange, Gormley explained. However, Tiversa can observe such activity, even determining where this information goes once it is opened to sharing, he said. Thus it can see what inadvertent file sharing is taking place.
Finding files with such personal information as social security and credit card numbers, "comes down to what are the files named," he said, pointing out that the initial files in the ABN AMRO case related to commissions. Once identity thieves access one such file, they can locate the computer and gain access to all unprotected files on that computer, Gormley noted.