[BreachExchange] Breach affecting 1 million was caught only after hacker maxed out target’s storage

[Destry Winant]

https://arstechnica.com/information-technology/2019/11/breach-affecting-1-million-was-caught-only-after-hacker-maxed-out-targets-storage/

The US Federal Trade Commission has sued an IT provider for failing to
detect 20 hacking intrusions over a 22-month period, allowing the
hacker to access the data for 1 million consumers. The provider only
discovered the breach when the hacker maxed out the provider’s storage
system.

Utah-based InfoTrax Systems was first breached in May 2014, when a
hacker exploited vulnerabilities in the company’s network that gave
remote control over its server, FTC lawyers alleged in a complaint.
According to the complaint, the hacker used that control to access the
system undetected 17 times over the next 21 months. Then on March 2,
2016, the intruder accessed personal information for about 1 million
consumers. The data included full names, social security numbers,
physical addresses, email addresses, phone numbers, and usernames and
passwords for accounts on the InfoTrax service.

The intruder accessed the site later that day and again on March 6,
stealing 4,100 usernames, passwords stored in clear-text, and hundreds
of names, addresses, Social Security numbers, and data for payment
cards.

The complaint said InfoTrax employees did not discover the breach
until March 7, 2016, when they received alerts that one of the
company's servers had reached its maximum storage capacity. The alert
was the result of the intruder creating a data archive file that had
grown so large that a hard drive ran out of space. It was only then,
FTC attorneys said, that InfoTrax began taking steps to secure its
network.

Even after the breach came to light, the InfoTrax network was
compromised at least two more times, the FTC alleged. One week later,
an intruder used malicious code to collect data through an InfoTrax
customer’s website that harvested more than 2,300 unique, full payment
card numbers, including names, physical addresses, CVVs, and
expiration dates. Then on March 29, an intruder used the user ID and
password of an InfoTrax client to upload more malicious code. The
intruder used the access to collect newly submitted payment card data.

InfoTrax’s “failure to provide reasonable security for the personal
information of distributors and end consumers has caused or is likely
to cause substantial injury to consumers in the form of fraud,
identity theft, monetary loss, and time spent remedying the problem,”
FTC lawyers wrote in the complaint. They said a call center retained
by one InfoTrax client seeking help with the breach response received
more than 238 complaints of unauthorized payment card charges, 34
complaints of new credit lines opened, 15 complaints of tax fraud, and
one complaint of misuse of information for employment purposes.

Specific failures alleged by the FTC against InfoTrax included not:

taking inventory and deleting personal data it no longer needed
conducting code review of its software and testing the security of its network
detecting malicious file uploads
adequately segmenting its network
implementing security safeguards to detect suspicious activity on its network

The FTC said in a statement that as part of a proposed settlement,
InfoTrax will be barred from collecting, selling, sharing, or storing
personal information unless the company implements a security program
that corrects the failures identified in the complaint. InfoTrax will
also be required to obtain third-party assessments of its security
every two years.