InfoTrax Systems Discovered a Massive Data Breach Only After the Attackers Ran out of Storage Space
You read news about how hackers attack various online services and help themselves to your personal information every day. Data breaches are indeed a part of our everyday lives, and this is unlikely to change any time soon. This doesn't mean, however, that service providers should be any less careful with your data. Unfortunately, the story of InfoTrax Systems' data breach shows that this is exactly what's happening.
InfoTrax provides a range of IT services and software products to companies all around the world. Most of its customers are multi-level-marketing businesses that handle large amounts of data that belongs to end users, but the way events unfolded is proof that the IT vendor wasn't doing enough to protect all that information.
How InfoTrax got hacked
It all started in May 2014 when a hacker allegedly exploited a vulnerability in a website operated by one of InfoTrax's customers. They ran malicious code, which let them take control over one of InfoTrax's servers. They had the ability to look at, delete, and upload files, but at first, they decided not to pull any tricks that could raise suspicion. Apparently, over the next twenty-two months, they accessed the server a total of seventeen times, but they made no effort to steal or alter any information.
On March 2, 2016, however, the attacker began poking through the databases. That's when they got access to the personal details of around 1 million people, including names, physical and email addresses, Social Security Numbers, usernames, and passwords. Some of the data belonged to legacy systems and should have been deleted, but InfoTrax's information management practices were so bad, that the company apparently didn't even know about its existence.
Later that day, the intruder opened another log file with hundreds more names and addresses, Social Security Numbers, and some payment card details and bank account information. On March 6, the attacker found out that they can download plain text login data, which would give them access to end users' accounts on websites owned by multi-level marketers.
Throughout all this, InfoTrax was completely unaware of the attack. In fact, were it not for an amateurish mistake on behalf of the hacker, InfoTrax would have probably been oblivious about it to this very day.
The attacker makes a silly mistake
Having seen how much data can be obtained with relative ease, the hacker decided to create a big archive of it and download it all at once. The backup needed to be created on the server, however, and the attacker forgot to check how much storage space is left. Inevitably, the archive filled up the hard drive, and InfoTrax got a notification about it. This is what led to the discovery of the attack. It wasn't the end, though.
Upon learning about the whole thing on March 7, 2016, InfoTrax took steps to stop the intruder, but apparently, the precautions weren't effective enough. A week later, the hacker injected malicious code into a website operated by one of InfoTrax's customers. With it, they pilfered payment information during the checkout process. On March 29, the criminal used stolen login credentials to upload another script, which helped them steal even more personal and financial data.
InfoTrax will have to face the music
The theft has caused quite a lot of grief to InfoTrax customers and end users. Having learned about the breach, one of the affected multi-level marketing companies hired a third-party call center owned by AllClear ID, Inc. to help with the customer support in the wake of the incident. According to AllClear ID, close to 300 users have reported being defrauded in some way because of the InfoTrax breach.
Not surprisingly, the Federal Trade Commission decided to step in and file a complaint. According to a proposed settlement, InfoTrax won't be allowed to process any personal data unless it proves that its security mechanisms are strong enough to prevent similar incidents from happening in the future. Whether this falls under the "too little, too late" category is for you to decide.
Even without the FTC complaint, the consequences for InfoTrax business can be quite serious considering the basic information management mistakes the company has made. Hopefully, this will be a lesson not only for InfoTrax but for other IT service providers as well.