Does this sound too far fetched: Data from your finance department turns up in Iran, downloaded by a cybercriminal, who can now sell it to your competitor.

Sound implausible?

Well, if it could happen to highly classified plans for the U.S. president’s helicopter, chances are pretty good your next quarter sales forecasts could suffer the same fate.

At the very the least, you can minimize the risk.

How did top-secret design schematics wind up in the hands of thieves half a world away?

Peer-to-peer (P2P) file sharing inadvertently allowed highly classified documents to be freely shared with others using the same network.

The plans were downloaded by an “information concentrator,” someone who pokes around P2P networks ferreting out sensitive (and marketable) information.

P2P sharing is the technology that nearly brought the global music industry to its knees.

It began innocuously enough with a closed group of users using the same file sharing client, originally Napster, that enabled MP3 and video swaps.

After Napster shut down, plenty of clones sprang up, services like LimeWire, BearShare, Acquisition and Fast Track, to name a few.

Most have built-in settings that limit scanning to selected folders on a user’s system.

But if the person installing the P2P client isn’t particularly savvy or careful — say, a 12 -year-old or just some tech-challenged user — the software could allow everyone on the network to search each nook and cranny of a user’s computer.

In recent years, there have been dozens of highly publicized cases of P2P file sharing fiascoes. Among them:

• Al-Quaida operatives used P2P networks to share training videos
• An employee from the pharma company Pfizer exposed personal data on 17,000 company workers
• A small investment firm exposed names, social security numbers and birth dates of clients (including a Supreme Court justice), and
• A Dartmouth professor recently discovered thousands of private, HIPAA-protected health care records available on P2P networks.

Most of these data leaks were routine and innocent. Typical scenario: A worker has sensitive info on a work laptop, takes it home to get work done, and kids in the house use it to download music. The P2P client they use to do the scavenging exposes the contents of the laptop to the whole network.

The CTO of Tiversa, a Pennsylvania company specializing in P2P data leaks, recently said when the Iraq War started, Tiversa employees could track U.S. troop movements because G.I.’s who wanted to listen to music had installed P2P software on secure computers and inadvertently shared secret plans.

You can plug P2P leaks by:

• Creating a strict ban against P2P client installations (accompanied by user education) and enforcing the policy routinely
• Considering full-disk encryption to make data unreadable without extra work by cybercriminals
• Monitoring Web traffic to establish baselines that will let you detect spikes in activity that may indicate file sharing traffic
• Using a configuration manager that scans systems for P2P client installations and removes them
• Lowering users’ administrative rights so that P2P software clients can’t be installed, and
• Consulting a P2P forensics specialist to see if any of your data’s been compromised.

So does anybody out there think their network’s immune from this kind of data mining? Show of hands please.

Tags: Acquistion, BearShare, black market, Dartmouth, Fast Track, file-sharing, information concentrator, LimeWire, music industry, Napster, P2P, Pfizer, Tiversa