Data thieves blew cover after maxing out victim’s hard drive

An anonymous cybercriminal (or perhaps a gang) whose over-pilfering from a victim’s filesystem blew the “disk full” whistle on their massive data-stealing operation.

The Federal Trade Commission (FTC) has reached a settlement with InfoTrax, a Utah-based company that provides business operations software for multi-level marketers, after thieves stole a million sensitive customer records from its servers in 2016. The only reason it spotted the theft was because the crook filled up one of its server’s hard drives collecting the information, said the FTC in its complaint.

InfoTrax held data on almost 12 million consumers in September 2016, according to an FTC complaint which detailed what it called “unreasonable data security practices”.

The company didn’t delete consumer information held in its databases when it was no longer necessary, and didn’t audit the security of its software or network, the Commission said. Neither did it segment its network to stop attackers moving laterally through it. Perhaps the most damning allegation was that the company stored social security numbers (SSNs), full payment card information, bank account data and login credentials unencrypted.

These loopholes enabled an attacker to break into the company’s network back in May 2014 and insert a malware back door. Over the next two years, this hole let them view, download, and delete files on the company’s servers, and upload more software at will. The attacker accessed the network 17 times over the following two years before harvesting the lion’s share of the company’s sensitive data.

On 2 March 2016, they stole a million peoples’ private data, including names, addresses, email and telephone numbers, and SSNs. The FTC added that one of the compromised databases was a legacy system containing data that the company didn’t even know about.

The thing that finally alerted InfoTrax to the two-year problem was that the hacker was stealing more information than they could handle, explained the FTC complaint:

The only reason Respondents received any alerts is because an intruder had created a data archive file that had grown so large that the disk ran out of space. 

The incident response was, shall we say, leisurely. When InfoTrax finally discovered the presence of the intruder(s), 

Only then did Respondents begin to take steps to remove the intruder from InfoTrax’s network. 

While those steps were being taken, more data was being pilfered: On 14 March 2016, the attacker hit the company through a website portal for its distributors. On 29 March they uploaded more malicious code via an InfoTrax client’s web portal, collecting fresh data that included “newly submitted full names, payment card numbers, expiration dates, and CVVs.” 

InfoTrax agreed to settle the case with the FTC. The settlement, with the company and its founder Mark Rawlins, forces InfoTrax to create an information security program with cybersecurity safeguards including network segmentation, detection of unknown file uploads, an intrusion prevention system, and data encryption. It must also enlist a penetration tester and software code review, the settlement added, and InfoTrax must get regular security audits from third-party providers.

InfoTrax posted a public statement saying that it had already put in place many of the FTC’s mandated steps, adding:

We deeply regret that this security incident happened. Information security is critical and integral to our operations, and our clients’ and customers’ security and privacy is our top priority.

The settlement agreement doesn’t impose any monetary penalties on the company. Commissioners passed it unanimously.