InfoTrax Systems, a Utah-based technology company, has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards, which allowed a hacker to access the personal information of a million consumers. InfoTrax Systems, L.C., provides back-end operation services to multi-level marketers. This includes such services as compensation, inventory, orders, accounting, training, and data security, as well as operating its clients’ website portals.
In its complaint, the FTC alleges that InfoTrax and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients. This includes failing to:
- inventory and delete personal information it no longer needed;
- conduct code review of its software and testing of its network;
- detect malicious file uploads;
- adequately segment its network; and
- implement cybersecurity safeguards to detect unusual activity on its network.
In addition, the FTC alleged that InfoTrax stored consumers’ personal information—such as Social Security numbers, payment card information, bank account information, and user names and passwords—in clear, readable text on its network.
Perhaps the most important lesson of this settlement is this: “Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers.”
As a result of the company’s security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. In March 2016, the intruder accessed about one million consumers’ sensitive personal information, according to the complaint.
InfoTrax did not detect these intrusions until March 2016, when it was alerted that its servers had reached maximum capacity. This alert was due to a data archive file created by the hacker who had infiltrated its network. InfoTrax’s security failures not only affected its network but also the websites of its clients, the FTC alleged.
As part of the proposed settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint.