Thousands of computer users every moment could lose their most personal information -- tax returns, credit cards, and banking and investment accounts -- even though no one hacked or scammed them.
They give it away, often unknowingly, and potentially expose not only themselves but family, friends and employers.
People who go online to download music and movies on file-sharing or peer-to-peer networks often incorrectly configure default settings so that they end up sharing other files on their computer. Anyone else using those sharing networks at the same time can take whatever they find.
That "free" song download from sharing unexpectedly becomes costly.
Over the past year, 18,000 Americans gave away federal tax returns that way. The problem of identity theft has become so bad the Internal Revenue Service paid out $5.2 billion in false tax returns in 2010.
"This is what I refer to as a silent security risk," said Howard Schmidt, former "cyber czar" to Presidents George W. Bush and Barack Obama. "We all talk about phishing emails and traditional hacking, but this is a silent piece of that. People inadvertently are giving their stuff up."
When they do, Pittsburgh-based Tiversa collects almost all of the shared information from open computers. Touted as the Google of file-sharing, the company connects to millions of computers per second across 2,800 networks around the world. It collects shared files and archives them to be searched for information about Tiversa's clients.
On a recent Monday, Tiversa's searches of open file-sharing accounts found:
--Medical information on nearly 9,000 patients, including names, Social Security numbers, insurance numbers and home addresses;
--Confidential psychological evaluations for hundreds of patients;
--A U.S. military roster with nearly 500 names, ranks and Social Security numbers;
--A company payroll list of nearly 150 employees with names, Social Security numbers and salaries; and
--Personal information on nearly 3,000 police officers from a major U.S. city, including names, Social Security numbers and birthdates. (They wouldn't say which city.)
Because information gets shared only when users are online, the number of files available at any moment varies. Based on its searches alone, Tiversa officials suspect most information sharing happens by accident by unknowing computer users, but also criminals intentionally posting specific files.
Analysts on the seventh floor of the company's Downtown headquarters on Liberty Avenue sit inside a dimly lit, glass-walled room with rows of computers -- facing a bank of servers alive with blinking lights behind another glass wall. Workers pore through shared files for information about Tiversa's corporate clients and individuals who use LifeLock, the identify theft protection service.
They watch for criminal activity. After it became public that someone posted stolen credit reports on first lady Michelle Obama, FBI Director Robert Mueller, Donald Trump and other celebrities online, Tiversa began tracking the information. The company found that computer users in China, Russia, Nigeria and a dozen other countries downloaded and shared the information. It reported the findings to the Department of Justice.
"We see files like this all the time, but not files this well known," said Mike Prusinski, Tiversa's chief of staff. "These are the hidden risks of peer-to-peer file-sharing. While they do great things, they also provide some bad opportunities."
