InfoTrax settle FTC Act consumer privacy and security violations
The FTC has gone after MLM services provider InfoTrax for multiple violations of the FTC Act.
InfoTrax is a well-established services provider within the MLM industry. The company is based out of Utah was founded in 1988 by CEO Mark Rawlins.
Typically, InfoTrax operates the major aspects of its clients’ website portals for their distributors and customers.
Through these website portals, individuals register with multi-level marketers as distributors, place orders for themselves and the end consumers who purchase from them, and enroll new distributors.
According to the FTC’s complaint, InfoTrax and owner Rawlins (right) “engaged in a number of unreasonable data security practices” between 2014 to 2016.
Among the more egregious examples cited by the FTC, is InfoTrax are storing consumer’s personal details and authentication credentials as plain text on their servers.
As a result of InfoTrax’s security failures, in May 2015 an intruder managed to access their servers.
During a period of almost two years, between May 5, 2014, and February 23, 2016, an intruder accessed InfoTrax’s server undetected a total of seventeen times.
Thereafter, on March 2, 2016, an intruder began to pull information from InfoTrax’s systems.
Specifically, the intruder queried certain databases on InfoTrax’s systems from which the intruder accessed personal information of approximately one million consumers, including: full names; physical addresses; email addresses; telephone numbers; SSNs; distributor user IDs and passwords; and admin IDs and passwords.
One of these databases contained legacy data that Respondents failed to migrate to a new product. Because Respondents did not properly inventory and manage this data, they did not know this data existed, much less take steps to protect it.
On that same day, an intruder accessed a different log file stored on InfoTrax’s server that contained, among other things, even more personal information of consumers, including over 600 names and addresses, over 150 SSNs or other government identification numbers, over 500 unique unmasked payment account numbers with expiration data and CVVs, and 16 bank account and routing numbers.
On March 6, 2016, an intruder queried yet another database from which the intruder accessed over 4100 user IDs and passwords of distributors, in clear text, which could be used to access a client’s website.
With these user IDs and passwords, the intruder could access those distributors’ accounts, where the intruder could access some of the personal information of those distributors and their end consumers, as well as personal information from other websites where distributors and their end consumers used the same user IDs and passwords.
During the period intruders had access to InfoTrax’s systems, personal data belonging to some 11.6 million consumers was at risk.
The FTC alleges personal data stolen from InfoTrax’s systems ‘is often used to commit identity theft and fraud.’
For example, identity thieves use stolen names, addresses, and SSNs to apply for credit cards in the victim’s name.
When the identity thief fails to pay credit card bills, the victim’s credit suffers.
InfoTrax’s breaches affected distributors and end consumers for several multi-level marketers, including dōTERRA, XanGo, and LifeVantage.
A call-center used by just one of InfoTrax client’s recorded over 280 fraud reports over 2016.
For their part did inform their clients of the breaches.
InfoTrax notified all of its clients of the breaches so they could respond appropriately.
For example, between March 2016 and April 2016, one InfoTrax client sent out breach notifications to payment card networks, banks, credit reporting agencies, law enforcement, state regulators, distributors, and end consumers, and it hired counsel and security experts to investigate the breaches.
Nonetheless, the FTC leveled the count of Unfairness: Failure to Employ Reasonable Data Security Practices at InfoTrax and Rawlins.
As part of a settlement reached between the FTC, InfoTrax and Rawlins,
from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint.
This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards.
In addition, the proposed settlement requires the company to obtain third-party assessments of its information security program every two years.
Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review.
Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.
Of note is there is no monetary component to the settlement.