Utah-based InfoTrax Systems, L.C. has settled with the
FCC (Federal Trade Commission) for its failure to protect its data following a
hack that exposed the data for 1 million clients.
Hackers breached the InfoTrax Systems infrastructure and
remained undetected until the company inadvertently discovered the breach when
an archive created by the criminals filled one of the server’s hard-drives to
capacity.
InfoTrax Systems offers back-end operation services to
multi-level marketers, including inventory, ordering, training, data security,
and support for its clients’ website portals. The company stored sensitive
information on its servers, such as Social Security numbers, payment
information, user names and passwords, and various bank information, all in
clear text format.
According to an Ars Technica report,
the first breach took place in May 2014 when the attackers figured out a way to
exploit an unpatched vulnerability. In total, the hacker accessed the company
systems 17 times and gathered data on about 1 million users.
While InfoTrax did eventually secure their network, the
hackers still had access to the systems. The original hacker or others that had
access to the data even logged into the websites of its clients.
“InfoTrax did not detect these intrusions until
March 2016, when it was alerted that its servers had reached maximum capacity.
This alert was due to a data archive file created by the hacker who had
infiltrated its network,” says the FCC in a communique. “InfoTrax’s
security failures not only affected its network but also the websites of its
clients, the FTC alleges. The personal information that the intruder obtained
can be used to commit identity theft and fraud.”
As part of the settlement with the FCC, the company is no
longer allowed to collect, sell, share, or store data on its clients until they
implement a system to secure this information. The settlement also forces the
company to get an external audit of its security systems every two years.