FTC approves settlement with Utah tech company after data breach

SALT LAKE CITY — The Federal Trade Commission has signed off on a settlement with a Utah technology company that allegedly failed to use adequate cybersecurity, allowing a hacker to access the personal information of more than a million consumers.

The FTC alleged that InfoTrax Systems and former CEO Mark Rawlins didn’t take reasonable, low-cost and readily available security measures to safeguard its business clients. The Orem-based company provides software and hosting solutions for direct-selling companies.

As a result of the alleged security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company for clients, more than 20 times from May 2014 until March 2016. The hacker accessed consumers’ sensitive personal data including Social Security numbers, according to an FTC complaint.

InfoTrax said it took immediate action to secure the data and shut down any further unauthorized access. It also contacted clients and voluntarily requested the support of law enforcement, including the FBI, to determine the nature and scope of the breach. The company also contacted forensic security experts to help identify where its system was vulnerable and to take steps to improve security and prevent further incidents.

Without agreeing with the FTC’s findings, InfoTrax signed a consent order last November that outlines the security measures it will maintain going forward. After receiving no comments on the settlement, the FTC voted 5-0 to finalize the order with InfoTrax and Rawlins.

As part of the agreement, InfoTrax and Rawlins are prohibited from collecting, selling, sharing or storing personal information unless they implement an information security program that addresses the security failures identified in the FTC complaint.

In addition, the settlement requires the company and Rawlins to obtain third-party assessments of their companies’ information security programs every two years.

Related topics