[BreachExchange] FTC approves settlement with Utah tech company after data breach

Destry Winant destry at riskbasedsecurity.com
Tue Jan 7 10:14:14 EST 2020


https://www.deseret.com/utah/2020/1/6/21052201/ftc-approves-settlement-with-utah-tech-company-after-data-breach

SALT LAKE CITY — The Federal Trade Commission has signed off on a
settlement with a Utah technology company that allegedly failed to use
adequate cybersecurity, allowing a hacker to access the personal
information of more than a million consumers.

The FTC alleged that InfoTrax Systems and former CEO Mark Rawlins
didn’t take reasonable, low-cost and readily available security
measures to safeguard its business clients. The Orem-based company
provides software and hosting solutions for direct-selling companies.

As a result of the alleged security failures, a hacker infiltrated
InfoTrax’s server, along with websites maintained by the company for
clients, more than 20 times from May 2014 until March 2016. The hacker
accessed consumers’ sensitive personal data including Social Security
numbers, according to an FTC complaint.

InfoTrax said it took immediate action to secure the data and shut
down any further unauthorized access. It also contacted clients and
voluntarily requested the support of law enforcement, including the
FBI, to determine the nature and scope of the breach. The company also
contacted forensic security experts to help identify where its system
was vulnerable and to take steps to improve security and prevent
further incidents.

Without agreeing with the FTC’s findings, InfoTrax signed a consent
order last November that outlines the security measures it will
maintain going forward. After receiving no comments on the settlement,
the FTC voted 5-0 to finalize the order with InfoTrax and Rawlins.

As part of the agreement, InfoTrax and Rawlins are prohibited from
collecting, selling, sharing or storing personal information unless
they implement an information security program that addresses the
security failures identified in the FTC complaint.

In addition, the settlement requires the company and Rawlins to obtain
third-party assessments of their companies’ information security
programs every two years.


More information about the BreachExchange mailing list