Maksim Kabakou - stock.adobe.com
InfoTrax Systems this week settled with the Federal Trade Commission regarding allegations that the company failed to protect consumer data after a nearly two-year-long data breach.
The FTC filed a complaint against the Utah-based multi-level marketing software company in the wake of attackers stealing sensitive information on approximately one million customers over the course of more than 20 malicious infiltrations between May 2014 and March 2016.
InfoTrax only became aware of the attacks in March 2016 because a data archive file created by the malicious actors grew so large that servers reached maximum storage capacity. "Only then did Respondents begin to take steps to remove the intruder from InfoTrax's network," the FTC wrote in the complaint.
The FTC asserted that InfoTrax -- in part -- failed to implement a process to inventory and delete unnecessary customer information, failed to detect malicious file uploads and stored consumers' personal information, including Social Security numbers, bank account information, payment card information and more, "in clear, readable text on InfoTrax's network."
The FTC added, "Respondents could have addressed each of the failures ... by implementing readily available and relatively low-cost security measures."
As a result of the settlement, InfoTrax is "prohibited from collecting, selling, sharing or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards," the FTC wrote in a statement published Tuesday.
The company will also have to obtain assessments of its information security program from a third party, approved by the FTC, every two years.
On Nov. 12, Scott Smith, president and newly appointed CEO of InfoTrax, released a statement that is no longer hosted at its original link on PR Newswire. A copy was published by The Herald Journal.
Smith claimed the company "took immediate action" to secure data and prevent further unauthorized access after discovering the breach. The company then contacted affected clients, law enforcement agencies, including the FBI, as well as "top forensic security experts to help us identify where our system was vulnerable and to take steps to improve our security and prevent further incidents like this."
"Without agreeing with the FTC's findings from their investigation, we have signed a consent order that outlines the security measures that we will maintain going forward, many of which were implemented before we received the FTC's order," Smith said. "We deeply regret that this security incident happened. Information security is critical and integral to our operations, and our clients' and customers' security and privacy is our top priority."
In response to SearchSecurity's request for the original statement, InfoTrax offered a slightly modified one from the CEO, which notably removed the part about not agreeing to the FTC's findings:
"This incident happened nearly four years ago, at which time we took immediate steps to identify and remediate the issue. We notified our clients and worked closely with security experts and law enforcement. We deeply regret that the incident happened," Smith said in the statement. "Even though the FTC has just now released their documents, this is an issue we responded to immediately and aggressively as soon as we became aware of it in 2016, and we have not experienced additional incidents since then. The privacy and security of our clients' information continues to be our top priority today."
Richard Newman, an FTC defense attorney at Hinch Newman LLP in New York, told SearchSecurity that his overall take on the case was that "The FTC's enforcement of data security matters based upon alleged unreasonable data security practices is becoming an increasingly common occurrence. The Commission does so under various theories, including that such acts and practices are 'unfair' in violation of the FTC Act."
He added that the stipulation that InfoTrax is prohibited from collecting, sharing, or selling user data until they fix their security issues is "not uncommon," and that "stipulated settlement agreements in this area have recently undergone an overhaul based upon judicial developments and enforceability-related challenges. Terms such as mandated information security programs, security assessments, etc. are now commonplace in such settlements."
Regarding whether or not the settlement is adequate, Adam Solander, a partner at King & Spalding LLP in Atlanta, told SearchSecurity, "It's hard to judge without being involved intimately with the facts, but the FTC is an aggressive organization. They take privacy and security very seriously, and I think this is evidence of how aggressive they are in their enforcement of it."