Backend operation services provider InfoTrax Systems has reached a settlement with the U.S. Federal Trade Commission (FTC) over a data breach discovered in 2016, the agency announced this week.
Utah-based InfoTrax provides multi-level marketers with a variety of services, including compensation, inventory, accounting, and training, as well as data security, in addition to operating website portals for its customers.
In early 2016, the company discovered that hackers had compromised its servers, and that customer data, including sensitive information, had been accessed by the attackers.
According to an FTC complaint, InfoTrax and its former CEO Mark Rawlins failed to properly secure the personal information of its clients. Moreover, the Commission notes that the company didn’t even use “reasonable, low-cost, and readily available security protections” to ensure the safety of that data.
The FTC says InfoTrax did not keep track of and remove customer data it no longer needed, did not conduct software code reviews or network testing, failed to detect malicious file uploads, failed to adequately segment its network, and did not implement the necessary safeguards to detect unusual activity on its network.
On top of that, the company apparently stored sensitive information such as Social Security numbers, payment card information, bank account information, and usernames and passwords in clear text on its network.
These failures, the FTC notes, allowed a hacker to access InfoTrax’ server and customer websites over 20 times between May 2014 and March 2016. The complaint also alleges that, in March 2016, the hacker accessed over one million customers’ personal information.
In March 2016, the hacker created a large data archive file that resulted in the server reaching maximum storage capacity, ..