Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

InfoTrax Settles With FTC Over Data Breach

Backend operation services provider InfoTrax Systems has reached a settlement with the U.S. Federal Trade Commission (FTC) over a data breach discovered in 2016, the agency announced this week.

Backend operation services provider InfoTrax Systems has reached a settlement with the U.S. Federal Trade Commission (FTC) over a data breach discovered in 2016, the agency announced this week.

Utah-based InfoTrax provides multi-level marketers with a variety of services, including compensation, inventory, accounting, and training, as well as data security, in addition to operating website portals for its customers.

In early 2016, the company discovered that hackers had compromised its servers, and that customer data, including sensitive information, had been accessed by the attackers.

According to an FTC complaint, InfoTrax and its former CEO Mark Rawlins failed to properly secure the personal information of its clients. Moreover, the Commission notes that the company didn’t even use “reasonable, low-cost, and readily available security protections” to ensure the safety of that data.

The FTC says InfoTrax did not keep track of and remove customer data it no longer needed, did not conduct software code reviews or network testing, failed to detect malicious file uploads, failed to adequately segment its network, and did not implement the necessary safeguards to detect unusual activity on its network.

On top of that, the company apparently stored sensitive information such as Social Security numbers, payment card information, bank account information, and usernames and passwords in clear text on its network.

These failures, the FTC notes, allowed a hacker to access InfoTrax’ server and customer websites over 20 times between May 2014 and March 2016. The complaint also alleges that, in March 2016, the hacker accessed over one million customers’ personal information.

In March 2016, the hacker created a large data archive file that resulted in the server reaching maximum storage capacity, and only then was InfoTrax able to detect the unauthorized activity.

As part of the proposed settlement (PDF), both the company and its former CEO are prohibited from collecting, selling, sharing, or storing personal information if they do not implement a cyber-security program to address said failures.

InfoTrax has agreed to assess and document internal and external security risks, to implement safeguards to ensure customer personal information is protected, and to test and monitor the effectiveness of those safeguards.

The company is also required to obtain assessments of its information security program every two years, from third-parties. Additionally, the Commission has the authority to approve the assessor.

In a statement published on the company’s website, InfoTrax CEO and President Scott Smith said that the company took all the necessary steps to close the breach as soon as it discovered it, and that it also immediately informed the affected customers and law enforcement, in addition to contracting forensic security experts to identify vulnerabilities in its systems.

“Without agreeing with the FTC’s findings from their investigation, we have signed a consent order that outlines the security measures that we will maintain going forward, many of which were implemented before we received the FTC’s order,” Smith said.

Related: FTC Warns Cash Option May be Small for Equifax Settlement

Related: FTC Fines Facebook $5B, Adds Limited Oversight on Privacy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...