A Utah-based IT company found out it was hacked only after it received an alert about one of its servers running out of free disk space.
The hack impacted InfoTrax Systems, a US company based in Orem, Utah, that provides hosted applications for multi-level marketers (MLMs).
Companies rent access on InfoTrax servers so they can manage MLM operations, and store data on customers and employees, using InfoTrax's applications.
In 2016, the company announced a security breach during which a hacker stole the personal details of around one million users. Following tips that the company had failed to secure its servers, the Federal Trade Commission (FTC) started an investigation into the hack.
According to an FTC complaint at the time, the hacker exploited a vulnerability in InfoTrax's websites to upload a malicious code that enabled remote control of the company's website and adjacent server infrastructure.
Per the FTC, the hacker maintained access to InfoTrax's servers for almost two years, between May 2014 and March 2016, during which time they accessed the company's network on at least 17 different occasions.
InfoTrax failed to detect these intrusions. The FTC said the company did not have proper security systems in place to detect unauthorized access and file modifications. It was, however, alerted of something wrong when one of its servers ran out of disk space, on March 7, 2016.
A subsequent investigation revealed that the hacker — while gathering data from InfoTrax's servers — had created “a data archive file that had grown so large that the disk ran out of space,” the FTC said.
In total, the hacker made off with around one million user records from multiple InfoTrax customers — from the company's total of 11.8 million user details it was storing on its servers at the time.
The theft was aided by the fact that InfoTrax was storing customer data in cleartext. Stolen information included Social Security numbers, payment card information, bank account information, and user names and passwords.
This week, the FTC and InfoTrax agreed to a settlement according to which the Utah-based company would implement the security measures that led to the 2016 security breach. The settlement obliges InfoTrax to:
- inventory and delete personal information it no longer needs;
- conduct code review of its software and testing of its network;
- detect malicious file uploads;
- adequately segment its network; and
- implement cybersecurity safeguards to detect unusual activity on its network.
In a press release published following the announcement of the FTC settlement, InfoTrax said it already implemented many of these security measures, even before the FTC ruling.