What’s worse than getting hacked? How about the “failure to detect intrusions” in the first place? InfoTrax Systems is just one of the latest examples of such an impressively bad security oversight. To be clear about the extent of the “oversight”, this company was breached more than 20 times from May 2014 until March 2016, winning them the “What’s worse than getting hacked” award.
To add further insult to injury, InfoTrax Systems only detected the data breach after someone in their company had received an alert that its servers had run out of storage capacity. Further investigation into the issue found that the servers had run out of storage space due to large data archive files the hacker had created in order to offload sensitive data from their systems.
InfoTrax Systems is a marketing technology company based out of Orem, Utah, that provides backend systems operations to multi-level marketers. Their process includes storing and manipulating an extensive amount of their Users’ data including: inventory, orders, compensation, banking, accounting, and other information.
The initial breach reportedly occurred in May of 2014 when a hacker (or group of hackers) exploited several vulnerabilities in InfoTrax’s server through one of its client’s websites in order to gain remote control over InfoTrax’s database server. This effectively allowed the attacker to gain access to sensitive personal and financial information for over a million consumers. In addition, the attacker was able to maintain persistent control of the hacked database servers for nearly two years.
The Complaint
The United States Federal Trade Commission (FTC) has sued InfoTrax Systems, LLC for failing to safeguard the personal information that the company maintained on behalf of its clients. According to the FTC complaint1, the attacker remotely accessed the system 17 times over the course of 21 months without being detected, and then began pulling the personal information of consumers on March 2, 2016.
In the complaint, the FTC alleges that from at least 2014 through March of 2016, InfoTrax Systems and its former CEO Mark Rawlins engaged in a number of unreasonable data security practices. The complaint further goes on to state that the “Respondents” could have addressed each of the failures by implementing readily available and relatively low-cost security measures. The following is an excerpt from the complaint detailing the unreasonable data security practices:
“From at least 2014 through March 2016, Respondents engaged in a number of unreasonable data security practices. Among other things, Respondents:
- failed to have a systematic process for inventorying and deleting consumers’ personal information stored on InfoTrax’s network that is no longer necessary;
- failed to adequately assess the cybersecurity risk posed to consumers’ personal information stored on InfoTrax’s network by performing adequate code review of InfoTrax’s software, and penetration testing of InfoTrax’s network and software;
- failed to detect malicious file uploads by implementing protections such as adequate input validation;
- failed to adequately limit the locations to which third parties could upload unknown files on InfoTrax’s network;
- failed to adequately segment InfoTrax’s network to ensure that one client’s distributors could not access another client’s data on the network;
- failed to implement safeguards to detect anomalous activity and/or cybersecurity events. For example, Respondents failed to:
- implement an intrusion prevention or detection system to alert Respondents of potentially unauthorized queries and/or access to InfoTrax’s network;
- use file integrity monitoring tools to determine whether any files on InfoTrax’s network had been altered; and
- use data loss prevention tools to regularly monitor for unauthorized attempts to exfiltrate consumers’ personal information outside InfoTrax’s network boundaries; and
- stored consumers’ personal information, including consumers’ SSNs, payment card information (including full or partial credit card and debit card numbers, CVVs, and expiration dates), bank account information (including account and routing numbers), and authentication credentials such as user IDs and passwords, in clear, readable text on InfoTrax’s network. “
As outlined in the complaint, the stolen information included customers’ full names, physical addresses, Email addresses, telephone numbers, social security numbers, usernames, and passwords for 4100 distributor and admin accounts on the InfoTrax service. The leaked data also included payment card information for several customers. This information included full or partial credit and debit card numbers, Card Verification Values (CVVs), and expiration dates. Bank account information (including account and routing numbers) was also included in the breach.
Data Breach & Stolen Data
InfoTrax Systems discovered the breach on March 7, 2016, when it began receiving alert notifications that one of its servers had reached its maximum storage capacity. InfoTrax personnel investigated the alert, and found the cause of the server reaching its maximum storage capacity was due to a massive data archive file the hacker had created while harvesting stolen data on InfoTrax’s customers. The hacker continued to successfully breach the company’s servers at least two more times after InfoTrax Systems became aware of the intrusion.
On March 14, 2016, the hacker harvested over 2300 unique, full payment card numbers, including names, physical addresses, CVVs, expiration dates, and other billing data newly submitted by distributors. On March 29, 2016, the hacker used the username and password of a valid InfoTrax distributor account to upload more malicious code to collect newly submitted payment card data once again.
According to the FTC, InfoTrax Systems failed to “inventory and delete personal information no longer needed, conduct code review of its software and testing of its network, detect malicious file uploads, adequately segment its network, and implement cybersecurity safeguards to detect unusual activity on its network.”
On Tuesday, November 12, 2019, the FTC published a press release2 stating “Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers.”
The press release further goes on to state “As part of the proposed settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards.”
The proposed settlement3 outlines a comprehensive data security program to correct each of the failures identified in the complaint to which InfoTrax Systems will be required to implement. The new information security program, once implemented, must be reviewed and tested for vulnerabilities at least every 12 months. In addition, the proposed settlement also requires InfoTrax Systems to obtain third-party vulnerability assessments of its information security program every two years for the next 20 years.
A lesson for every business…
Every business regardless of size collects, manages, manipulates, and stores some amount of Personally Identifiable Information (PII) from its customers, partners, and vendors.
“Without independent auditing and testing,
it’s impossible to know where your vulnerabilities are.”
This lengthy, costly, and embarrassing issue for InfoTrax Systems could have easily been avoided by consulting with third party security professionals and taking proactive steps toward a better security posture. While stories like these are often interesting to read, let’s stop and think for just a moment… What would happen to your business if your systems were breached, and the information you were entrusted to protect got out into the wild resulting in your business having to face public and legal scrutiny?
What can you do to protect your business?
Can your business prove that it’s done its “Due Diligence” and “Due Care” to protect private and sensitive data? Can your business afford the financial burden of defending various legal battles? Could your business survive such a devastating hit on its reputation?
Fact is, the time to identify your business’s security vulnerabilities and prepare for a data breach is right now… before something happens. Not afterward.
The good news is that we can help you with every step of that process. Even if you have your own internal IT personnel, or are working with another managed services provider, we can augment their efforts as a third-party resource for:
- Multi-Layered Security Engineering and Consulting Services,
- Internal/External Security Auditing and Vulnerability Assessments,
- Security and Compliance Management and Review,
- Security Policy Creation and Review,
- Business Continuity Planning that goes well beyond data backup and system recovery,
- Incident Response and Breach Notification Planning,
- Security Awareness Training Services with Measurable Results,
- And much more
Don’t become tomorrow’s headline news by being another breach statistic. Schedule your free no-obligation consultation to learn more about how a partnership with ITNS Consulting can help you better protect your business.
Sources: