The company got breached more than 20 times in two years: maxed out disk space indicated the hack
The Federal Trade Commission released a statement[1] announcing that Utah-based IT provider InfoTrax Systems failed to detect 20 hacking attempts between May 2014 and March 2016.[2] Due to these undetected attacks, data of at least a million customers was made available for the hackers’ use. The incident was discovered when the file planted by hackers exceeded the storage of the system. As a result, InfoTrax Systems received the alert about servers running out of space and investigated the issue only to find out about the breach.[3]
InfoTrax Systems provides hosted applications for multi-level marketers. Companies can store data on customers, employees, and manage MLM operations using InfoTrax programs. However, according to the FTC’s investigation, the company had failed to secure its servers what caused malicious activities behind its back. The incident means that personal details of at least million of users got accessed and possibly stolen.[4]
20 separate hacker attacks and the data breach that InfoTrax failed to detect
As it is thought, hackers exploited the flaw in the system and got access to the company’s server sometime in May 2014. After finding the hole, the server was accessed for at least 17 times and remained undetected. On March 2, 2016, hackers got access to customer data. It is believed that they stole personal information of one million customers and employees, including the following data:
- full names
- social security numbers
- addresses
- email addresses
- phone numbers
- usernames
- passwords for InfoTrax accounts
A few days after, on March 6, 2016, according to the FTC, the hacker stole additional 4,100 usernames, passwords in clear-text, names, and data of payment cards. A week after that, full payment card numbers, expiration dates, CWs, full names, physical addresses of more than 2,300 additional customers got stolen. On March 29th, the intruder used the username and password of a client to upload additional malicious code to the network and collect newly added payment card data.
Unfortunately, the data breach remained undiscovered until the 7th of March, 2016, when the alert about full disk space was received. This was the result of a hacker-created file that became too large on the hard drive, so it har out of free space. The company started to secure the network only then, and according to the same complaint, the InfoTrax network got compromised at least two additional times.
The failure caused fraud, further data loss, and identity theft
After the breach, 238 complaints of unauthorized payment card charges, 34 incidents of new credit lines opened, and 15 complaints of tax fraud[5] got received. The company will be barred from collecting, selling, storing, sharing any personal information until the security program is corrected, and all the failures get fixed. InfoTrax also is required to get its network security properly checked every two years, and the company has agreed to this settlement.[6]
The settlement between the FTC and IT provider obliges InfoTrax to:
- detect malicious file uploads;
- conduct code review of the software and test the network;
- delete personal information that is no longer needed;
- adequately segment the network;
- implement cybersecurity safeguards to detect unusual activity on the network.
Since the company took action only years after the incident, customers more likely suffered majorly, as the FTC complaint states such incident can lead to more significant and more targeted cyber attacks:
Respondents’ failure to provide reasonable security for the personal information of distributors and end consumers has caused or is likely to cause substantial injury to consumers in the form of fraud, identity theft, monetary loss, and time spent remedying the problem.