Company Hacked 20+ Times Within 2 Years
For nearly two years, a business was unaware that a cybercriminal was repeatedly hacking its IT systems, with the cybercriminal stealing personal data of over 1 million people — bringing on an FTC investigation and charges.
The company, InfoTrax Systems, a provider of direct-sales solutions, was unaware that its IT systems were being repeatedly hacked. The company only discovered the breaches when a data archive file created by the cybercriminal maxed out the server’s storage capacity, prompting an alert. In all, the company’s server and client websites (which were maintained by InfoTrax) were hacked more than 20 times between May 2014 and March 2016. In March 2016 alone, the hacker stole the personal data of 1 million people.
The U.S. Federal Trade Commission (FTC) launched an investigation. They found that InfoTrax failed to use “reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients”. These findings led the FTC to sue InfoTrax and its former CEO for violating the FTC Act.
A Closer Look at the Case
The FTC found that the company stored consumers’ personal information in plain text on its network. This data included not only their full names, physical addresses, and telephone numbers but also their social security numbers, credit card information (including account numbers, card verification values, and expiration dates), bank account numbers, and login credentials.
The company failed to:
- Implement measures (e.g., file integrity monitoring tools, an intrusion prevention and detection system) to detect anomalous activity and cybersecurity events
- Adequately segment its network to ensure that one client could not access another client’s data
- Detect malicious file uploads by implementing protections such as input validation
- Adequately assess cybersecurity risks by performing code reviews and network penetration testing
- Have a systematic process for inventorying consumers’ personal information and deleting data no longer needed
- Adequately limit the locations to which third parties could upload unknown files on the company’s network
It wasn’t long before the stolen personal data started to be used. The acts of fraud included unauthorized credit card charges, new lines of credit being opened, tax fraud, and misuse of information for employment purposes.
CopperTree Solutions can help you avoid this costly mistake by recommending ways to identify suspicious activity in your network. We can also put other safeguards in place to keep your business’s data out of hackers’ hands.
For additional ways to protect your business contact us. We can help get you started with IT planning items to consider and how IT Services can assist.