Three spreadsheets containing more than 5,000 Social Security numbers and other personal details about customers of ABN Amro Mortgage Group were inadvertently leaked over an online file-sharing network by a former employee.
Tiversa Inc., a Pittsburgh company that offers data-leakage protection services, traced the origins of the ABN data to a Florida computer with the BearShare software installed.
BearShare, LimeWire and scores of other programs are designed to distribute and find songs, movies and other files over the Gnutella file-sharing network.
Tiversa Chief Executive Robert Boback said file-sharing programs are commonly misconfigured to share documents their owners never intended to make public.
With such peer-to-peer sharing systems, files are obtained directly from another user's hard drive rather than a central hub like traditional Web sites. As a result, once a file begins to circulate, copies can sit on computers all over the world, ready to be grabbed by other users.
Boback said Tiversa had yet to perform a full analysis to see how far the data had spread worldwide, but found evidence the files already had moved beyond the former employee's computer.
"There is no question in my mind that ... identity thieves have these files, and if they haven't already, they will be acting on them very soon," Boback said Friday.
Earlier this month, a Seattle man was arrested in what federal authorities described as their first case against someone accused of using file-sharing computer programs to commit identity theft.
Gregory Thomas Kopiloff has pleaded not guilty to charges of using such programs to troll other people's computers for financial information that he then used to open credit cards for an online shopping spree.
Tiversa was investigating the breach on behalf of a reporter for Dow Jones Newswires, which reported on the leakage earlier.
The file in question leaked through the former employee's home computer, underscoring the challenges companies face in trying to control sensitive information when their employees increasingly conduct business at home and on the road.
Michael Hanretta, a spokesman for ABN parent company Citigroup Inc., said the company was investigating.
"Citi's information-security standards require that confidential information be stored on Citi-managed devices," he said in a statement. "Protecting customer information remains a priority at Citi and we remain fully committed to physical, electronic and procedural safeguards to protect personal information."
Boback said more than 1 billion searches are conducted daily over peer-to-peer systems. A good number involve bank names, the word "password" and other terms that appear to be attempts by would-be thieves to dig up other people's sensitive documents, he said.