Peer-to-peer software leaks confidential police data

IT security and control firm Sophos is reminding companies of the importance of enforcing stringent IT security policies after it was revealed that a Japanese policeman has lost his job for accidentally leaking confidential information via peer-to-peer (P2P) file-sharing software.

According to reports, the fired policeman, who has not been named, worked for the Metropolitan Police Department in Tokyo, which confirmed recently that personal information regarding 12,000 people related to criminal investigations had been distributed across the net from the officer’s PC. The police officer had apparently installed the Winny file-sharing software on his PC, and did not know that confidential data was being made available to other users via the P2P network.

About 6,600 police documents are said to have been compromised, including interrogation reports, statements from victims of crime, and classified locations of automatic licence plate readers. Among the files was a list of the names, addresses and personal information concerning 400 members of the notorious criminal Yamaguchi-gumi yakuza gang. Officials note that the officer had claimed, in an internal survey prior to the leak, that he was not using the Winny P2P software on his PC.

“It’s no surprise that the Japanese police force has taken a hard line against this officer for disobeying advice about not running P2P file-sharing software on his PC – the authorities have been trying to enforce a ban following a number of similar embarrassing incidents in the past,” said Graham Cluley, senior technology consultant for Sophos. “But what this case really does underline is the need for all businesses to better control their users’ behaviour, and limit the programs they can run on their computers. Firms need to ask themselves if their employees have a legitimate requirement to run applications like P2P software, and if not, control their usage through technology.”

The authorities are reported to be holding the officer’s superiors partially responsible for the incident, and may reprimand up to ten other people.

Sophos notes that this was not the first occasion that information has leaked via peer-to-peer file-sharing networks. In May 2006, Sophos reported that a virus had leaked power plant secrets via Winny for the second time in four months. The previous month, a Japanese anti-virus company admitted that internal documents and customer information had been leaked after one of its employees failed to install anti-virus software, while earlier in 2006, Sophos described how information about Japanese sex victims was leaked by a virus after a police investigator’s computer had been infected.

A survey conducted last year by Sophos reflects the serious concern that uncontrolled applications are causing system administrators. For example, 86.5 percent of respondents said they want the opportunity to block P2P applications, with 79 percent indicating that blocking is essential.