An American company discovered a hack when the server ran out of free space
<img width="600" alt="world4.jpg" src="/upload/medialibrary/7be/7be3713512d5bfe22ab6cd1feccf0bf3.jpg" height="400" title="world4.jpg"><br>
The computer systems of the American company InfoTrax Systems were hacked more than 20 times between May 2014 and March 2016. The company learned about the hack only after the server ran out of free space due to the archive created by the attacker.
According to the US Federal Trade Commission (FTC), the hacking occurred in May 2014, when a cybercriminal exploited vulnerabilities on the server and on the website of one of the company's clients to gain remote control of the company's server and access to confidential information of 1 million customers.
FTC sues InfoTrax Systems for failure to protect customer personal data. The criminal secretly gained access to the system 17 times during 21 months, and on March 2, 2016 he began to collect personal information of customers, including names, social security numbers, physical addresses, email addresses, phone numbers, logins and passwords for accounts of 4100 distributors and Admins in InfoTrax The data leak also included information about the payment cards of some customers (full or partial card numbers, CVV and expiration dates), as well as information about bank accounts, including account numbers and bank codes.
The company discovered a compromise on March 7, 2016. After detecting the leak, the attacker managed to break into the company's systems at least two more times. On March 14, 2016, the offender stole more than 2,300 unique payment card numbers, including names, physical addresses, CVV and expiration dates, as well as other payment information. Then he introduced another malicious code to collect fresh data from the client’s website.
According to the FTC, InfoTrax Systems has failed to “inventory and delete outdated personal data, check its software code and test the network, detect malware downloads, adequately segment the network and implement security measures to detect unusual activity.” As a result, now the company must implement a comprehensive data protection program, as well as check its systems every two years.