Yet another company has been found lacking when it comes to securing its consumers’ data.
Utah-based InfoTrax Systems provides back-end services to multi-level marketing companies (MLMs) such as dōTERRA, ZanGo, and LifeVantage, providing website portals where individuals can register as a distributor, sign-up new distributors, and place orders for themselves and end consumers.
According to a complaint from the US Federal Trade Commission (FTC), InfoTrax was first breached by a hacker in May 2014, who exploited network vulnerabilities to gain remote control over its systems.
The hacker was able to view and access files on InfoTrax’s server, delete, and upload new files. In all, they are said to have breached Infotrax’s system 17 times over the next 21 months.
Then, on March 2, 2016, the hacker accessed the sensitive personal details of one million consumers.
According to the FTC, InfoTrax had been storing consumers’ social security numbers, payment card details, bank account information, user IDs, and passwords in “clear, readable text” on its network.
The FTC’s complaint says that InfoTrax’s failure to implement proper safeguards and security measures meant that it failed to detect suspicious behaviour on its systems between May 5 2014 and March 7 2016.
Indeed, InfoTrax only discovered that something unusual was taking place on March 7 when one of its servers alerted that it had reached its maximum capacity after the hacker created a data archive file so large that it caused a disk to run out of space.
That wasn’t the end of the problems for InfoTrax and its customers, however, as the hacker returned on March 14 2016 and injected code into a checkout page used by distributors in order to steal their names, physical addresses, and payment card data including CVVs and expiry dates.
Two weeks later the intruder was back again, this (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Graham Cluley. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/infotrax-one-million-users-details-stolen-ftc/