author photo
By Bruce Sussman
Thu | Nov 14, 2019 | 2:56 PM PST

Organizations learn about their data breaches in different ways.

In this case, it was a server that gave the breach away, when it started warning that space was running low.

It turns out, a hacker had been working secretly inside the company network for years and generated some massive data files. About one million records were exposed.

InfoTrax failed to implement reasonable cybersecurity

This happened to InfoTrax, which offers software solutions for sales organizations.

The company issued a breach notification in 2016, but now the Federal Trade Commission has filed a complaint against the company. It reveals a failure to secure the data. 

Here is what the FTC report says about InfoTrax in a section of the report titled, Respondents' Unreasonable Data Security Practices.

"From at least 2014 through March 2016, Respondents [InfoTrax] engaged in a number of unreasonable data security practices. Among other things, Respondents:

a. failed to have a systematic process for inventorying and deleting consumers' personal information stored on InfoTrax's network that is no longer necessary;

b. failed to adequately assess the cybersecurity risk posed to consumers' personal information stored on InfoTrax's network by performing adequate code review of InfoTrax's software, and penetration testing of InfoTrax's network and software;

c. failed to detect malicious file uploads by implementing protections such as adequate input validation;

d. failed to adequately limit the locations to which third parties could upload unknown files on InfoTrax's network;

e. failed to adequately segment InfoTrax's network to ensure that one client's distributors could not access another client’s data on the network;

f. failed to implement safeguards to detect anomalous activity and/or cybersecurity events. For example, Respondents failed to:

i. implement an intrusion prevention or detection system to alert Respondents of potentially unauthorized queries and/or access to InfoTrax's network;

ii. use file integrity monitoring tools to determine whether any files on
InfoTrax's network had been altered; and

iii. use data loss prevention tools to regularly monitor for unauthorized attempts to exfiltrate consumers' personal information outside InfoTrax's network boundaries; and

g. stored consumers' personal information, including consumers' SSNs, payment card information (including full or partial credit card and debit card numbers, CVVs, and expiration dates), bank account information (including account and routing numbers), and authentication credentials such as user IDs and passwords, in clear, readable text on InfoTrax's network."

This section of the report concludes:

"Respondents could have addressed each of the failures described... by implementing readily available and relatively low-cost security measures."

Ouch. We're trying to remember such a scathing post-mortem resulting from a data breach.

The review of cybersecurity practices at the FDIC, which revealed five cyberecurity fails, may come close.

What is reasonable cybersecurity?

The FTC report on the InfoTrax data breach leads to an important question: what is reasonable cybersecurity? How do courts and counsel view it right now?

Our story with well-known cybersecurity and privacy attorney Shawn Tuma explores the topic of reasonable cybersecurity. Here's a preview in our interview with him. Hopefully, it will help your organization stay ahead of where InfoTrax was on security.

[RELATED: FTC complaint Against InfoTrax}