For nearly two years, a business was unaware that a cybercriminal was repeatedly hacking its IT systems, which lead to the cybercriminal stealing the personal data of 1 million people — and an FTC investigation. Here is what the FTC found and the lessons that you can learn from this case.
For nearly two years, InfoTrax Systems, a provider of direct-sales solutions, was unaware that its IT systems were being repeatedly hacked. InfoTrax only discovered the breaches after a data archive file created by the cybercriminal maxed out the server’s storage capacity, prompting an alert. In all, the company’s server and client websites (which were maintained by InfoTrax) were hacked more than 20 times between May 2014 and March 2016. In March 2016 alone, the hacker stole the personal data of 1 million people.
In response to the breaches, the U.S. Federal Trade Commission (FTC) launched an investigation. The FTC found that InfoTrax failed to use “reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients”. These findings led the FTC to sue InfoTrax and its former CEO Mark Rawlins for violating the FTC Act. On November 12, 2019, InfoTrax and the FTC reached an agreement to settle the case. To understand the settlement, it helps to take a closer look at what the FTC found and how the data breaches occurred.
A Closer Look at the Case
The FTC found that InfoTrax engaged in a number of unreasonable data security practices, according to the FTC complaint. For starters, the company stored consumers’ personal information in plain text on its network. This data included not only their full names, physical addresses, and telephone numbers but also their social security numbers (SSNs), payment card information (including account numbers, card verification values, and expiration dates), bank account numbers, and login credentials.
In addition, the FTC found that the company failed to:
- Implement measures (e.g., file integrity monitoring tools, an intrusion prevention and detection system) to detect anomalous activity and cybersecurity events
- Adequately segment its network to ensure that one client could not access another client’s data on the network
- Adequately assess cybersecurity risks by performing code reviews and network penetration testing
- Detect malicious file uploads by implementing protections such as input validation
- Adequately limit the locations to which third parties could upload unknown files on the company’s network
- Have a systematic process for inventorying consumers’ personal information and deleting the data that was no longer needed
A cybercriminal had taken advantage of the lack of security measures and hacked into InfoTrax’s server. Once inside, the intruder uploaded malicious code that gave him or her the ability to remotely control the server. The hacker was able to access data, upload new files, and perform other actions. The cybercriminal also hacked into client websites that were maintained by InfoTrax.
In March 2016 the hacker stole data from InfoTrax’s server and client websites on four separate occasions. In all, the intruder got away with the personal data of 1 million people, including distributors and their customers (aka end consumers).
It wasn’t long before the stolen personal data started to be used. For example, the data breach response team hired by one of InfoTrax’s clients received more than 280 reports of alleged fraud from that client’s distributors and end consumers. The acts of fraud included unauthorized credit card charges, new lines of credit being opened, tax fraud, and misuse of information for employment purposes.
To settle the case, InfoTrax agreed to not collect, sell, share, or store personal data unless it implements an information security program that would address the security failures identified in the FTC complaint. In addition, InfoTrax is required to obtain an objective, third-party assessments of its information security program after the first 180 days and thereafter every two years for the next 20 years. Each violation found can result in a civil penalty of up to $42,530.
In a press release, InfoTrax CEO Scott Smith responded to the settlement. He commented:
“Without agreeing with the FTC’s findings from their investigation, we have signed a consent order that outlines the security measures that we will maintain going forward, many of which were implemented before we received the FTC’s order.”
“We deeply regret that this security incident happened. Information security is critical and integral to our operations, and our clients’ and customers’ security and privacy is our top priority.”
Two Important Lessons Learned
There are two important lessons to be learned from InfoTrax’s experiences. The most crucial one is that U.S. companies can be held liable for safekeeping personal information even if they do not fall under the jurisdiction of regulations such as the United States’ Health Insurance Portability and Accountability Act or the European Union’s General Data Protection Regulation (which applies to U.S. companies if they have customers who live in the European Union).
Section 5(a) of the FTC Act (15 USC §45) prohibits “unfair or deceptive acts or practices in or affecting commerce.” The five FTC commissioners unanimously agreed that InfoTrax violated this provision. They wrote:
“… the failure to employ reasonable data security practices to protect personal information — including names, addresses, SSNs, other government identifiers, and financial account information — caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. This practice was, and is, an unfair act or practice.”
The other lesson to heed is the importance of implementing measures to detect IT system intrusions and data breaches. The average time it takes for businesses to identify that a data breach has occurred is 206 days, or about 7 months, according to a 2019 data breach study. It can take much longer, though, if no measures are in place to detect intrusions and data breaches. For example, in InfoTrax’s case, it took the company around 22 months to realize its systems and data were being breached. The longer it takes to identify and contain a data breach, the more costly it will be for the company, according the data breach study.
We can help you avoid this costly mistake by recommending ways to identify suspicious activity in your network. We can also make sure that your network has other safeguards in place to keep your business’s data out of hackers’ hands.