The Federal Trade Commission finalized a settlement with cloud software provider InfoTrax Systems, L.C. following claims that it failed to enact sufficient data security policies, enabling a hacker to access sensitive personal data.
The security incident
According to the FTC, a hacker was able to access InfoTrax System’s server over 20 times from May 2014 to March 2016, successfully obtaining sensitive personal data, which could be used to commit identity theft and fraud. The FTC alleged that personal data such as Social Security numbers, banking information, user names and passwords had been stored on the InfoTrax server in an unsafe manner, in clear, readable text. The hack was only discovered in 2016 when InfoTrax was alerted that their servers had reached maximum capacity due to a data archive file created by the hacker.
The terms of the settlement prohibit the company from collecting, selling, sharing, or storing personal information until they implement a data security program to address the failures, which permitted the hack. The settlement requires the company to perform quarterly vulnerability testing of their network as well as annual reviews of the software code and penetration testing to simulate a hacker’s ability to access the company network.
Additionally, the company is required to obtain a third-party review of its information security programs every two years for the next 20 years, by an assessor approved by the FTC.
The FTC’s complaint asserted that there was an availability of reasonable, low-cost security protections that could have mitigated the risk of this hack. The complaint shows that the FTC generally expects businesses to take proactive measures to review their own data security programs on a regular basis and perform tests on their network to prevent such an attack on sensitive data. The settlement illustrates that the FTC expects companies to do the following:
- Systemically inventory personal data and delete it when no longer needed
- Encrypt sensitive information such as Social Security numbers, payment information and authentication credentials like user names and passwords where saved on the company’s network
- Assess the risk of data breaches by performing regular code review of software, as well as through vulnerability and penetration testing of the company network
- Detect and address malicious file uploads