Utah-based InfoTrax Systems, L.C. has settled with the FCC (Federal Trade Commission) for its failure to protect its data following a hack that exposed the data for 1 million clients.
Hackers breached the InfoTrax Systems infrastructure and remained undetected until the company inadvertently discovered the breach when an archive created by the criminals filled one of the server’s hard-drives to capacity.
InfoTrax Systems offers back-end operation services to multi-level marketers, including inventory, ordering, training, data security, and support for its clients’ website portals. The company stored sensitive information on its servers, such as Social Security numbers, payment information, user names and passwords, and various bank information, all in clear text format.
According to an Ars Technica report, the first breach took place in May 2014 when the attackers figured out a way to exploit an unpatched vulnerability. In total, the hacker accessed the company systems 17 times and gathered data on about 1 million users.
While InfoTrax did eventually secure their network, the hackers still had access to the systems. The original hacker or others that had access to the data even logged into the websites of its clients.
“InfoTrax did not detect these intrusions until March 2016, when it was alerted that its servers had reached maximum capacity. This alert was due to a data archive file created by the hacker who had infiltrated its network,” says the FCC in a communique. “InfoTrax’s security failures not only affected its network but also the websites of its clients, the FTC alleges. The personal information that the intruder obtained can be used to commit identity theft and fraud.”
As part of the settlement with the FCC, the company is no longer allowed to collect, sell, share, or store data on its clients until they implement a system to secure this information. The settlement also forces the company to get an external audit of its security systems every two years.