A critical breach of cybersecurity measures can have devastating implications for organizations, especially when it involves a failure to detect intrusions. InfoTrax Systems, a technology firm based in Utah, serves as a stark example. The company fell victim to multiple breaches—over 20 instances—between May 2014 and March 2016, revealing significant vulnerabilities in their security protocols.
The breach was notably identified only after an alert indicated that their servers had reached full storage capacity, a result of a data archive file concocted by an external attacker. This incident underscores a worrying trend in cybersecurity: the difficulty in recognizing intrusions before they escalate into larger crises.
InfoTrax Systems, which specializes in providing backend operational systems to multi-level marketing firms, holds a wealth of sensitive data regarding user accounts, including compensation details, inventory, and orders. The initial breach is believed to have occurred in May 2014 when the hacker exploited known vulnerabilities to remotely control the company’s servers, gaining unauthorized access to sensitive personal information belonging to approximately one million consumers.
In reaction to the breach, the United States Federal Trade Commission (FTC) initiated legal proceedings against InfoTrax Systems, citing their inadequate safeguards that resulted in the exposure of personal data held for their clients. According to the FTC complaint, the attacker accessed the InfoTrax systems 17 times over the following months, bypassing security measures and extracting personal information starting March 2, 2016.
The compromised data included customer names, Social Security numbers, physical and email addresses, telephone numbers, usernames, and passwords. Alarmingly, the breach also involved sensitive payment card information—full or partial credit card numbers, CVVs, and expiration dates—along with bank account details, raising the stakes for affected individuals and prompting concerns over fraud.
The breach was formally identified on March 7, 2016, triggered by alerts regarding server capacity. Yet, in a twist of fate, the perpetrator managed to infiltrate the system again—at least twice—after the organization became aware of the intrusion. On March 14, the hacker collected over 2,300 unique payment card numbers alongside associated billing data submitted by distributors during their transactions. A subsequent incursion occurred on March 29, wherein the hacker utilized a valid distributor account’s credentials to upload additional malicious code, further compromising customer data.
The FTC’s investigation revealed a plethora of security deficiencies on the part of InfoTrax Systems, including failures to adequately inventory and delete unnecessary personal data, conduct comprehensive code reviews and network testing, detect malicious uploads, and adequately segment their network. Additionally, the lack of effective cybersecurity measures to identify unusual activity presented a significant risk.
Following the FTC’s findings, a press release outlined a proposed settlement requiring InfoTrax Systems to implement a robust data security program to address the vulnerabilities identified. Furthermore, the settlement mandates regular third-party assessments of their information security framework every two years to ensure compliance and improve defenses against future threats.
This incident serves as a critical reminder of the need for businesses to regularly evaluate and fortify their cybersecurity practices. Utilizing the MITRE ATT&CK framework, organizations can better understand attack vectors, including initial access and persistence tactics, to bolster defenses and mitigate potential security breaches.
