In 2019, Filters Fast experienced a data breach when a threat actor exploited a plugin vulnerability in vBulletin. Using SQL injection, the attacker was able to obtain consumers’ cardholder names, billing addresses, expiration dates, validation codes, and primary account numbers for purchases made between June, 2019 and July, 2020.
Filters Fast did not detect any vulnerability in their system or breach. When when notified in February 2020 that they were a “common point of compromise,” they investigated but claimed they did not find anything. In March, 2020, they had their web host rebuild the server “out of an abundance of caution,” but the bad code remained on the server, and hence, continued to compromise the checkout process.
In May, 2020, MasterCard informed them of ongoing evidence of compromise and requested that they arrange for an audit. Forgenix was hired, but reportedly found nothing initially. In July, however, according to the NY Attorney General’s summary of the chronology, “Foregenix reported that it discovered conclusive evidence of a breach. Foregenix reported that the vulnerability exploited by the attacker was rated as “critical” by the National Institute of Standards and Technology and a software patch had been issued to fix it three years before the company was attacked.”
Filters Fast began notifying consumers in August, 2020, and New York announced a settlement of charges yesterday. In the press release, the state wrote, in part:
NEW YORK – New York Attorney General Letitia James today announced a $200,000 agreement with Filters Fast that resolves a 2019 data breach that compromised the personal information of approximately 320,000 consumers nationwide, including approximately 16,500 in New York state. Filters Fast — a popular online water filtration retailer — experienced a data breach in which attackers collected sensitive customer information during Filters Fast’s online checkout process. The compromised information included credit card holders’ names, billing addresses, expiration dates, and security codes. The website was compromised for close to a year — affecting purchases made on the site between July 16, 2019, and July 10, 2020.
[…]
As part of today’s agreement, Filters Fast will make a series of improvements designed to protect consumer personal information from cyberattacks in the future, including:
- Creating a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regular reporting to the company’s CEO concerning security risks;
- Designing an incident response and data breach notification plan that encompasses preparation, detection and analysis, containment, eradication, and recovery;
- Adopting personal information safeguards and controls — including encryption, segmentation, penetration testing, logging and monitoring, virus protection policy, custom application code change reviews, authentication policy and procedures, management of service providers, and patch management; and
- Ensuring that third-party security assessments take place over the next five years.
Pursuant to the agreement, Filters Fast has agreed to pay the state of New York $200,000, $100,000 of which is suspended, but that will be immediately due if Filters Fast materially misstated its financial condition.