Business Blog
When third-party service providers are party to sensitive data
Entrepreneurs wear a lot of hats. In addition to marketing their products, they’re responsible for operational functions like inventory, ordering, and the protection of customer data. Rather than managing all that millinery, some businesses turn to third-party service providers to run things behind the scenes. But what steps are those companies taking to secure the confidential consumer information in their possession? That’s one issue raised by the FTC’s proposed settlement with Utah-based InfoTrax Systems.
InfoTrax provides operations systems and online distributor tools for the direct sales industry. Multi-level marketers contract with InfoTrax to run their web portals. Through those portals, people register with MLMs as distributors, sign up new distributors, and place orders for themselves and for the consumers who buy from them.
Those transactions involve large amounts of sensitive data – full names, credit and debit cards with expiration dates and three-digit CVV numbers, bank account data, Social Security numbers, user IDs and passwords, etc. Let’s be clear: We’re not talking about a name here or an account number there. By September 2016, InfoTrax stored personal information from approximately 11.8 million consumers. But according to the complaint, InfoTrax engaged in a series of data fails that created vulnerabilities on its network, weaknesses that allowed unauthorized access to confidential consumer information. Among other things, the FTC alleges that:
- InfoTrax failed to perform adequate code review and penetration testing to assess cyber risks;
- InfoTrax failed to take precautions to detect malicious file uploads;
- InfoTrax failed to adequately limit where on its network third parties could upload unknown files;
- InfoTrax failed to adequately segment its network to ensure that one client’s distributors couldn’t access another client’s data;
- InfoTrax failed to implement safeguards to detect suspicious activity – for example, the company didn’t have an effective intrusion detection system to spot questionable queries; didn’t use file integrity monitoring tools to determine when files had been altered, and didn’t regularly monitor for unauthorized attempts to transfer sensitive data from its network;
- InfoTrax stored confidential information, including Social Security numbers, credit and debit card numbers, user IDs, and passwords in clear, readable text; and
- InfoTrax didn’t have a systematic process for deleting consumers’ personal information it no longer had a business need to keep on its network.
What happened as a result of those failures shouldn’t come as a surprise. According to the complaint, sometime in 2014 an intruder exploited security vulnerabilities on InfoTrax’s server and a client’s website to upload malicious code that gave the intruder remote access to data on InfoTrax’s network – something that was done a total of 17 times in a two-year period, all without InfoTrax spotting the problem. You’ll want to read the complaint for details, but the FTC alleges the intruder used multiple means to make off with highly sensitive financial information about InfoTrax’s clients and end consumers.
Finally, on March 7, 2016, almost two years after the data thefts began, InfoTrax got an inkling of the multiple breaches. The tip-off came in the form of an alert that one of its servers had reached its maximum capacity, a warning the company received only because an intruder had created a data archive so massive that the disk ran out of space. The FTC says that only then did the company take steps to remove the intruder from its network. But even so, the intruder continued to grab data from InfoTrax’s server for a few more weeks.
The complaint alleges that InfoTrax’s failure to employ reasonable data security to protect personal information was an unfair practice, in violation of the FTC Act. The proposed order requires InfoTrax and then-CEO Mark Rawlins to implement a comprehensive information security program, get every-other-year assessments, and certify compliance annually. In addition, the settlement puts specific safeguards in place to address the security deficiencies alleged in the complaint. The FTC is accepting public comments about the proposed settlement.
What insights can other companies glean from the case?
Readily available security tools can reduce risks. The FTC alleges InfoTrax could have reduced the risk to sensitive data by implementing readily available, cost-effective protective measures. For example, security-conscious companies use tools to monitor unauthorized entries and exits on their network. Then there’s input validation, which can determine if data from potentially untrusted sites is properly configured – a precaution that can reduce the risk of malicious code sneaking into, say, a data base on your network. In addition, file integrity tools may be able to spot if an intruder has altered information.
Inventory the data in your possession and securely dispose of it when there’s no longer a need to maintain it. According to the FTC, one of the databases the intruder breached was a legacy file InfoTrax wasn’t aware was still on its server. The complaint allegation demonstrates the importance of knowing what you have and where you have it. It also illustrates the wisdom of securely disposing of unnecessary information. You don’t have to protect what you no longer have.
Consider the impact security failures have on clients and customers. Identity theft is always a risk when personal information is breached, but the complaint in this case adds a human perspective on the consequences of lax data security. For example, when one InfoTrax client hired a call center to assist with data breach response, consumers and distributors reported more than 280 instances of alleged fraud, including 238 complaints of unauthorized credit card charges, 34 complaints of new credit lines opened, 15 complaints of tax fraud, and 1 complaint of misuse of information for employment purposes. For third-party service providers with sensitive consumer data, security that’s second to none should be a first-level priority.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
In reply to How does a small company by Guest
The FTC created cybersecurity resources for businesses to help them protecting against cyber attacks. The cybersecurity section covers a dozen topics, including vendor security. Read about how to monitor vendors, protect your business and what to do if a vendor has a security breach.
The FTC created the resources in partnership with the National Institute of Standards and Technology, the U.S. Small Business Administration, and the Department of Homeland Security.
In reply to Has InfoTrax notified the 11 by Guest
The FTC complaint states that as of September 2016, InfoTrax stored personal information for approximately 11.8 million consumers, not that information of 11.8 million consumers was stolen. The FTC’s complaint alleges that InfoTrax engaged in a series of data failures that created vulnerabilities on its network, and that as a result of these failures InfoTrax experienced a number of security incidents and breaches. According to the FTC, these incidents and breaches led to injuries to consumers and businesses. The FTC says that between March 2016 and April 2016, one InfoTrax client sent breach notifications to its customers.