Data of Millions at risk as Leading US IT Firm Failed to Detect Security Breaches for Years.
Getting your website hacked is probably your worst nightmare. However, the case of Utah-based tech firm InfoTrax Systems proves that what’s worse is getting your website hacked multiple times successfully.
Reportedly, the company could not detect intrusions, which kept on occurring from May 2014 to March 2016, and hence suffered huge losses as a result of this ignorance. Sometimes ignorance isn’t a bliss we think.
This is nothing else but a security blunder, that too, from a tech firm as renowned as InfoTrax Systems. Understandably, the company has been sued by US Federal Trade (FTC) as it not only failed to detect intrusion but also made data of over 1 million consumers vulnerable to hacking.
For your information, InfoTrax is America’s leading IT services provider, mainly known for its backend operating systems. Given the company’s nature of work, it has to collect sensitive inventory, accounting, compensation, and billing data from its customers.
So how the company did finally learn about a possible intrusion? That’s another interesting case in its own respect.
InfoTrax detected the security breach after it was notified that its serves have reached the maximum storage capacity limit. This happened because the hacker created a data archive file on the company servers.
FTC lawyers have provided exclusive details of the hacking spree in their complaint. The first time the hacker intruded InfoTrax Systems’ security breach by exploiting flaws in the company’s network and acquiring remote control over its server and client’s website, which the hacker used to access the system repeatedly (at least 17 times) for over 21 months.
On March 2, 2016, the hackers accessed the personal data of nearly 1 million consumers including their full names, email IDs, phone numbers, physical addresses, social security numbers, and their InfoTrax service accounts’ usernames and passwords.
Moreover, payment card information may include complete or partial debit/credit card numbers, card expiry dates, and CVVs while it is also suspected that the hacker obtained bank account information including routing numbers and account numbers too.
Later, on March 6, the hacker stole 41,000 usernames and passwords that were stored in clear-text format and also accessed payment card data.
The breach was identified on 7th March, 2016 but ironically, even after that the hacker was able to access the company’s network twice and by 14th March, the hacker obtained around private and financial information of 23,000 unique accounts and on 29th March, the hacker used the ID and password of the company’s distributor to collect newly uploaded data.
In a press release published on Tuesday, the FTC stated that InfoTraxf ailed to remove,
1. Inventory and delete personal information it no longer needed.
2. Conduct code review of its software and testing of its network.
3. Detect malicious file uploads
4. Adequately segment its network
5 Implement cybersecurity safeguards to detect unusual activity on its network.
The FTC offered InfoTrax a settlement proposal under which the company will be required to implement a reliable data security program to address the issues identified in the complaint and get it assessed every two years from a third-party.