So, TorrentFreak is reporting a massive security lapse on the part of MediaDefender, a company that makes its money running interference on internet-based copyright infringement. In addition to exposing what probably qualify as trade secrets, quite a lot of sensitive personal data was also exposed (social security numbers and the like).

Executives, take note: this is why you cannot ignore the security policies written by your IT guys.

The helpful commenters over on Slashdot suggest that the story unfolds something like this:

One: Executive forwards all of his email from MediaDefender's secure email system to his gmail account. If this was not against company policy, it should have been. Furthermore, some of these emails included usernames and passwords as well as social security numbers. Passwords should be emailed under very limited circumstances and always changed immediately thereafter; social security numbers should never be emailed.

Two: Said executive decides for some reason to create an account on a torrent tracker dealing in copyrighted works. He registers with his gmail account and uses the same password for both his gmail and torrent accounts. This is why you do not use the same password for every account! Because...

Three: Administrators at this torrent tracker recognize the MediaDefender IP address. They use the password said executive so graciously handed to them and leak some 700MB of sensitive information to the web. Thus, all the security that their IT department built into their technology--likely at some expense--was handily circumvented by one person's failure to comply.

Now, there are some pretty malicious people out there who have unfettered access to the phone numbers, addresses, social security numbers, and salary information of the MediaDefender crew. The leak is all over the internet; this is not something you can fix with a cease-and-desist letter or two. If they figure out who misappropriated the data, MediaDefender might be able to haul him to trial, but the chances of finding that person are slender, and the chances of that person being American, slim-to-none.

Once upon a time, sending in the lawyers might have been effective damage control. But these days, while lawyers might get you some compensation, they'll never fix your data leak; information moves too quickly. Some say that information wants to be free; maybe that's true, but at the very least, the more you threaten people with legal action, the more publicity you will garner and the more widespread your once-secret information will become. This is the grand paradox of the Information Age.

Which is why an ounce of prevention is worth well over a pound of cure. Sending lawyers to negotiate settlements with rivals in the industry might actually save a company damaged in this way, but in this case, the damage was probably done by insolvent 20-year-olds, or 15-year-olds for that matter. Because it exposes as true a lot of stuff they and their clients have been denying for some time (including Wikipedia abuse), this leak will almost certainly hurt MediaDefender's business model; at worst, it could put them out of business. Which for some (like the proprietors of such fixtures as PirateBay, the famed Swedish filesharing site) would be a welcome change in the landscape, but the families of MediaDefender's employees would probably not agree.

(Cue Randal and Dante.)

At any rate, business professionals take note. In the 21st Century, your IT guys may be low-paid grunts compared to the MBAs and JDs raking in six- and seven-figure salaries at the top of your organization. But when it comes to technology, they know what they are doing, and (odds are) you don't. Recognize your limitations and let them help you! That's what you pay them for. You don't want to be responsible for this kind of breach because you overestimated your understanding. This is the kind of thing that costs people their livelihoods--including people who might not have a yacht to sell if they come up short next month.

So please, take information security seriously.