A hacker got access to the personal information of a million consumers after infiltrating into the systems of a Utah-based technology company more than 20 times during a period of 22 months.
The company, InfoTrax Systems, has now agreed to implement a comprehensive data security programme to settle US Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards.
InfoTrax Systems provides back-end operation services to multi-level marketeers. This includes such services as compensation, inventory, orders, accounting, training, and data security, as well as operating its clients' website portals.
In its complaint, the FTC alleged that InfoTrax and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients.
This includes failing to inventory and delete personal information it no longer needed; conduct code review of its software and testing of its network; detect malicious file uploads; adequately segment its network; and implement cybersecurity safeguards to detect unusual activity on its network, FTC said in a statement this week.
In addition, the FTC alleged that InfoTrax stored consumers' personal information - such as Social Security numbers, payment card information, bank account information, and user names and passwords - in clear, readable text on its network.
"Service providers like InfoTrax don't get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers," said Andrew Smith, Director of the FTC's Bureau of Consumer Protection.
"As this case shows, it's every company's responsibility to protect customers' personal information, especially sensitive data like Social Security numbers."
As a result of the company's security failures, a hacker infiltrated InfoTrax's server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016.
In March 2016, the intruder accessed about one million consumers' sensitive personal information, according to the complaint.
InfoTrax did not detect these intrusions until March 2016, when it was alerted that its servers had reached maximum capacity.
This alert was due to a data archive file created by the hacker who had infiltrated its network.
InfoTrax's security failures not only affected its network but also the websites of its clients, the FTC alleges.
The personal information that the intruder obtained can be used to commit identity theft and fraud.
As part of the proposed settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security programme that would address the security failures identified in the complaint.