Data thieves blew cover after maxing out victim’s hard drive
An anonymous cybercriminal (or perhaps a gang) whose over-pilfering from a victim’s filesystem blew the “disk full” whistle on their massive data-stealing operation.
The Federal Trade Commission (FTC) has reached a settlement with InfoTrax, a Utah-based company that provides business operations software for multi-level marketers, after thieves stole a million sensitive customer records from its servers in 2016. The only reason it spotted the theft was because the crook filled up one of its server’s hard drives collecting the information, said the FTC in its complaint.
InfoTrax held data on almost 12 million consumers in September 2016, according to an FTC complaint which detailed what it called “unreasonable data security practices”.
The company didn’t delete consumer information held in its databases when it was no longer necessary, and didn’t audit the security of its software or network, the Commission said. Neither did it segment its network to stop attackers moving laterally through it. Perhaps the most damning allegation was that the company stored social security numbers (SSNs), full payment card information, bank account data and login credentials unencrypted.
These loopholes enabled an attacker to break into the company’s network back in May 2014 and insert a malware back door. Over the next two years, this hole let them view, download, and delete files on the company’s servers, and upload more software at will. The attacker accessed the network 17 times over the following two years before harvesting the lion’s share of the company’s sensitive data.