IT Provider Discovers Massive Breach After Hacker Runs Out of Storage Space

ArsTechnica reports that InfoTrax Systems, an IT provider, was first breached in 2014, when a hacker exploited vulnerabilities in the company’s network that gave remote control over its server. The FTC has now filed a complaint alleging that InfoTrax failed to detect hacking intrusions for nearly two years after that breach, allowing the hacker to access data for about 1 million consumers. The breach was finally discovered when the hacker maxed out the provider’s storage system. The data included full names, social security numbers, physical addresses, email addresses, phone numbers and data for payment cards. InfoTrax employees finally discovered the breach when the intruder created a data archive file so large that a hard drive ran out of space. At that point, FTC attorneys said, InfoTrax began taking steps to secure its network, but even so the network was compromised at least two more times. One week later, an intruder used malicious code to collect data through an InfoTrax customer’s website that harvested more than 2,300 unique, full payment card numbers, including names, physical addresses, CVVs, and expiration dates. InfoTrax’s “failure to provide reasonable security for the personal information of distributors and end consumers has caused or is likely to cause substantial injury to consumers in the form of fraud, identity theft, monetary loss, and time spent remedying the problem,” FTC lawyers wrote in the complaint.