Details from the FTC’s investigation into a breach of InfoTrax Systems servers have been released and it does not paint a pretty picture for the service provider. The FTC was investigating claims that InfoTrax failed to properly secure the servers housing customer data which led to an attacker having unrestricted access for two years completely undetected. The attacker first gained access to InfoTrax’s servers in May of 2014 and accessed servers at least 17 times before the breach was discovered in March of 2016. The FTC’s report indicates that while stealing data from InfoTrax’s servers, the hacker created an archive of stolen data. That archive of stolen data grew so large over the two years that the attacker had access, it ran out of disk space. The stolen data affected approximately one million user records from InfoTrax’s customer base. This theft was made easier by the fact that InfoTrax housed customer data in cleartext including Social Security numbers, payment card data, bank account information, usernames, and passwords.
The requirements put forth by the FTC for InfoTrax to implement are important for every company to follow and include:
– Inventory and delete personal data which is no longer needed
– Conduct code reviews of software and conduct network testing
– Implement detection methods to detect malicious file uploads
– Segment network structure to slow the attacker’s efforts
– Implement security safeguards to detect unusual network activity