Server breach exposing personal info of 1 million people found only after the hacker filled up the server's storage

spartaman64 · November 15, 2019

Quote

The US Federal Trade Commission has sued an IT provider for failing to detect 20 hacking intrusions over a 22-month period, allowing the hacker to access the data for 1 million consumers. The provider only discovered the breach when the hacker maxed out the provider’s storage system.

Quote

Utah-based InfoTrax Systems was first breached in May 2014, when a hacker exploited vulnerabilities in the company’s network that gave remote control over its server, FTC lawyers alleged in a complaint. According to the complaint, the hacker used that control to access the system undetected 17 times over the next 21 months. Then on March 2, 2016, the intruder accessed personal information for about 1 million consumers. The data included full names, social security numbers, physical addresses, email addresses, phone numbers, and usernames and passwords for accounts on the InfoTrax service.

Quote

The intruder accessed the site later that day and again on March 6, stealing 4,100 usernames, passwords stored in clear-text, and hundreds of names, addresses, Social Security numbers, and data for payment cards.

The complaint said InfoTrax employees did not discover the breach until March 7, 2016, when they received alerts that one of the company's servers had reached its maximum storage capacity. The alert was the result of the intruder creating a data archive file that had grown so large that a hard drive ran out of space. It was only then, FTC attorneys said, that InfoTrax began taking steps to secure its network.

Even after the breach came to light, the InfoTrax network was compromised at least two more times, the FTC alleged. One week later, an intruder used malicious code to collect data through an InfoTrax customer’s website that harvested more than 2,300 unique, full payment card numbers, including names, physical addresses, CVVs, and expiration dates. Then on March 29, an intruder used the user ID and password of an InfoTrax client to upload more malicious code. The intruder used the access to collect newly submitted payment card data.

Quote

Specific failures alleged by the FTC against InfoTrax included not:

taking inventory and deleting personal data it no longer needed

conducting code review of its software and testing the security of its network

detecting malicious file uploads

adequately segmenting its network

implementing security safeguards to detect suspicious activity on its network

The FTC said in a statement that as part of a proposed settlement, InfoTrax will be barred from collecting, selling, sharing, or storing personal information unless the company implements a security program that corrects the failures identified in the complaint. InfoTrax will also be required to obtain third-party assessments of its security every two years.

https://arstechnica.com/information-technology/2019/11/breach-affecting-1-million-was-caught-only-after-hacker-maxed-out-targets-storage/

This is probably one of the worst server security flops I've ever heard of. Why would you store any of this in clear text and after they discovered the breach they should have cut off connection to the server or isolated some of the more sensitive files until the breach is fixed. Also real amateur move by the hacker making an archive file that big. He should have known that if a server fills up for no reason that would make the IT company suspicious but maybe he didn't expected to get away with it for so long or he thought they actually wouldn't notice because to be fair they probably haven't impressed him so far.

Vorg · November 15, 2019

why would a hacker be storing anything on the target server? don't they normally try to leave as little a trace of their activities as possible? Maybe the full drive was just the result of yet another problem...

spartaman64 · November 15, 2019

2 hours ago, Vorg said:

why would a hacker be storing anything on the target server? don't they normally try to leave as little a trace of their activities as possible? Maybe the full drive was just the result of yet another problem...

Maybe he was compressing the data to make it easier to transfer but yeah he shouldn't let it fill up the server

amdorintel · November 15, 2019

could be many reasons why he used up the storage

could care less

info wasnt that secret

could get away with it easy enough

could have been some hacker slipping up

mr moose · November 15, 2019

Unless this is an open and shut case, I can see it causing the industry to end up only being the fly-by-night companies (those who throw in a cheap quote do a dodge job and shut down the business before they can be sued) or the extremely over priced and well organized firms that cause the cost of all the products to go up as they dot all the t and cross the i's (sic) in gold plated individually insured contracts.