The Federal Trade Commission (FTC) takes InfoTrax Systems to court for its alleged failure to protect the data entrusted to them by their client after a series of intrusions that have scraped information of more than one million people have been left undetected for more than 22 months.
The FTC hurled the complaint against the Utah-based IT company InfoTrax Systems and its Chief Executive Officer, Mark Rawlins. In a six-page document, the trade regulator claims that the servers of InfoTrax Systems were infiltrated by a malicious actor. The hacker was able to install a script that allows it to have remote control over the company’s systems.
InfoTrax Systems is an IT company serving clients in the direct sales industry. The lawsuit filed by the FTC represents the interest of different multi-level marketing companies who relied on the products and services provided by InfoTrax Systems for “all aspects of their business operations, including compensation, inventory, orders, accounting, training, communication, and data security, among other things.”
The complaint alleges that the servers of InfoTrax Systems was first infiltrated by a malicious actor on May 2014 and more than 17 intrusions followed over the next 21 months after the initial intrusion. All of these remained undetected by the company until the hacker was able to max out the storage capacity of one of its servers on March 7, 2016 – two years after the persistent intrusion of the malicious actor.
The FTC’s complaint against InfoTrax Systems said that by the time that the intrusions were discovered by the employees of the company, the hacker was already able to gain access to sensitive data of more than one million users of the different clients of InfoTrax Systems.
The data that was accessed by the hacker without permission includes sensitive Personally Identifiable Information (PII) like name, social security number, addresses, and even financial information. According to the complaint, the hacker was able to obtain partial and full credit card information of some of the affected individuals.
Other information that was breached during the undetected intrusions include: full names; dates of birth; physical and email addresses; telephone numbers; Social Security numbers (“SSNs”) or other government identification numbers; payment card information including credit or debit card numbers, Card Verification Values (“CVVs”) and expiration dates; bank account information including bank account and routing numbers; and account user IDs and passwords.
Because of the incident, the FTC claims that InfoTrax Systems and its CEO has failed to protect their users’ data and has problematic data security practices. As outlined in the complaint, the company’s data security protocol has failed to:
- Have a systematic process for inventorying and deleting consumers’ personal information stored on InfoTrax’s network that is no longer necessary.
- Adequately assess the cybersecurity risk posed to consumers’ personal information stored on InfoTrax’s network by performing adequate code review of InfoTrax’s software, and penetration testing of InfoTrax’s network and software.
- Detect malicious file uploads by implementing protections such as adequate input validation;
- Adequately limit the locations to which third parties could upload unknown files on InfoTrax’s network; e. failed to adequately segment InfoTrax’s network to ensure that one client’s distributors could not access another client’s data on the network;
- Other unreasonable data security practices
As part of the proposed settlement, the FTC said that the company would be prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint.
“Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers,” he added.