Backend operation services provider InfoTrax Systems has reached a settlement with the U.S. Federal Trade Commission (FTC) over a data breach discovered in 2016, the agency announced this week.
Utah-based InfoTrax provides multi-level marketers with a variety of services, including compensation, inventory, accounting, and training, as well as data security, in addition to operating website portals for its customers.
In early 2016, the company discovered that hackers had compromised its servers, and that customer data, including sensitive information, had been accessed by the attackers.
According to an FTC complaint, InfoTrax and its former CEO Mark Rawlins failed to properly secure the personal information of its clients. Moreover, the Commission notes that the company didn’t even use “reasonable, low-cost, and readily available security protections” to ensure the safety of that data.
The FTC says InfoTrax did not keep track of and remove customer data it no longer needed, did not conduct software code reviews or network testing, failed to detect malicious file uploads, failed to adequately segment its network, and did not implement the necessary safeguards to detect unusual activity on its network.
On top of that, the company apparently stored sensitive information such as Social Security numbers, payment card information, bank account information, and usernames and passwords in clear text on its network.
These failures, the FTC notes, allowed a hacker to access InfoTrax’ server and customer websites over 20 times between May 2014 and March 2016. The complaint also alleges that, in March 2016, the hacker accessed over one million customers’ personal information.
In March 2016, the hacker created a large data archive file that resulted in the server reaching maximum storage capacity, and only then was InfoTrax able to detect the unauthorized activity.
As part of the proposed settlement (PDF), both the company and its former CEO are prohibited from collecting, selling, sharing, or storing personal information if they do not implement a cyber-security program to address said failures.
InfoTrax has agreed to assess and document internal and external security risks, to implement safeguards to ensure customer personal information is protected, and to test and monitor the effectiveness of those safeguards.
The company is also required to obtain assessments of its information security program every two years, from third-parties. Additionally, the Commission has the authority to approve the assessor.
In a statement published on the company’s website, InfoTrax CEO and President Scott Smith said that the company took all the necessary steps to close the breach as soon as it discovered it, and that it also immediately informed the affected customers and law enforcement, in addition to contracting forensic security experts to identify vulnerabilities in its systems.
“Without agreeing with the FTC’s findings from their investigation, we have signed a consent order that outlines the security measures that we will maintain going forward, many of which were implemented before we received the FTC’s order,” Smith said.