Yet another company has been found lacking when it comes to securing its consumers' data. Utah-based InfoTrax Systems provides back-end services to multi-level marketing companies (MLMs) such as dōTERRA, ZanGo, and LifeVantage, providing website portals where individuals can register as a distributor, sign-up new distributors, and place orders for themselves and end consumers. According to a complaint from the US Federal Trade Commission (FTC), InfoTrax was first breached by a hacker in May 2014, who exploited network vulnerabilities to gain remote control over its systems. The hacker was able to view and access files on InfoTrax’s server, delete, and upload new files. In all, they are said to have breached Infotrax's system 17 times over the next 21 months. Then, on March 2, 2016, the hacker accessed the sensitive personal details of one million consumers. According to the FTC, InfoTrax had been storing consumers' social security numbers, payment card details, bank account information, user IDs, and passwords in "clear, readable text" on its network. The FTC's complaint says that InfoTrax's failure to implement proper safeguards and security measures meant that it failed to detect suspicious behaviour on its systems between May 5 2014 and March 7 2016. Indeed, InfoTrax only discovered that something unusual was taking place on March 7 when one of its servers alerted that it had reached its maximum capacity after the hacker created a data archive file so large that it caused a disk to run out of space. That wasn't the end of the problems for InfoTrax and its customers, however, as the hacker returned on March 14 2016 and injected code into a checkout page used by distributors in order to steal their names, physical addresses, and payment card data including CVVs and expiry dates. Two weeks later the intruder was back again, this time using the user ID and password of a legitimate distributor to upload more malicious code to InfoTrax's servers, and managed to elevate their rights to gain access to other clients' accounts, and plant yet more payment card-stealing code onto webpages. According to the FTC, simple low-cost measures could have provided InfoTrax with a higher level of security. Instead, it says, the company failed to:
- inventory and delete personal information it no longer needed;
- conduct code review of its software and testing of its network;
- detect malicious file uploads;
- adequately segment its network; and
- implement cybersecurity safeguards to detect unusual activity on its network.
Under the terms of the FTC settlement, InfoTrax will be prohibited from collecting and storing personal information until it has put in place an information security program that addresses their security failures. In addition, their security will need to be assessed by a third-party every two years.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.