The U.S Federal Trade Commission sued a Utah company that provides back-end support for multi-level marketing companies over a series of data breaches it experienced between 2014 and 2016.
The basis for the FTC action was “unreasonable data security practices” in violation of the Federal Trade Commission Act. In other words, you can be face action by the FTC if your data security is weak and allows hackers to steal customer information.
In its complaint, the FTC says an “intruder” accessed the servers of InfoTrax Systems LLC 17 times without detection. The hacker gained Personally Identifiable Information (PII) on thousands of accounts.
The hacker’s efforts ended when InfoTrax got an alert that one of its servers had run out of storage space. The reason? The hacker had created a data archive file on the server of the stolen info. The file grew so large it triggered the alert – and led to the discovery of the data theft.
The fallout from the incident included hundreds of people flooding a call center with reports of identity theft, tax fraud, fraudulent new lines of credit opened, and employment fraud, the FTC said in its complaint.
So what were InfoTrax’s “unreasonable data security practices”? The FTC list includes:
* Failing to inventory and delete consumers’ data once it was no longer necessary
* Failing to assess its cybersecurity risks
* Failing to do penetration testing
* Failing to segment its network to limit unauthorized access
* Failing to implement intrusion systems to detect potential attacks and theft
* Failing to use data loss prevention tools to monitor for attempts to steal data
* Failing to encrypt consumer data and identifying information
A settlement agreement between the FTC and InfoTrax requires InfoTrax to overhaul its data security system and processes. It is in a public comment period.
InfoTrax’s new CEO issued a statement saying the company “deeply regretted” the situation.