Utah Company and Its Former CEO Settle with FTC Over Alleged Security Failures

Utah Company and Its Former CEO Settle with FTC Over Alleged Security Failures

The US Federal Trade Commission has reached a settlement with a Utah company and its former CEO over allegations that shoddy security practices led to the personal information of over a million customers' being illegally accessed in multiple hacks.

InfoTrax Systems, L.C. and its founder and former CEO Mark Rawlins allegedly failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information they maintained on behalf of the company’s business clients. 

As a result of the alleged security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. 

Sensitive personal information accessed by the hacker included consumers' Social Security numbers, full names, addresses, email addresses, telephone numbers, usernames, passwords, and payment account numbers with expiration data and CVVs, according to the FTC’s complaint. None of the consumer data stored had been encrypted.

It is further alleged that the presence of the intruder inside the company's system from May 5, 2014, to March 7, 2016, was only discovered because InfoTrax began receiving alerts that one of its servers had reached maximum capacity. 

In its complaint, the FTC wrote: "The only reason Respondents received any alerts is because an intruder had created a data archive file that had grown so large that the disk ran out of space. Only then did Respondents begin to take steps to remove the intruder from InfoTrax’s network."

More hacks occurred on March 14 and 29, 2016, when a threat actor gained access to the company's network, infecting it with malware that harvested payment card and other billing data. 

Under the terms of the settlement, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. 

In addition, the company and Rawlins are required to obtain third-party assessments of their company’s information security programs every two years.

Utah State University computer science graduate Rawlins founded MLM services provider InfoTrax Systems in 1998. Clients of the company include doTerra, Xango, and LifeVantage.

Source: Information Security Magazine