Filters Fast agrees to pay New York Attorney General
Filters Fast this week agreed to pay $200,000 to resolve an investigation into a data breach stemming from a cyber-attack in 2019 that exposed the payment card details of an estimated 320,000 consumers.
The US air and water filtration supplier agreed to pay the sum to the New York Attorney General Office and further agreed to create a comprehensive information security program in order to minimize the chance of further breaches. Half the $200,000 payment will be given up front with the remainder suspended.
Filters Fast became one of the growing list of online companies to suffer from a Magecart-style credit card skimmer attack as the result of a breach that lasted between July 2019 and July 2020, when the problem was finally identified. The breach provoked the lawsuit from the Attorney General of New York (NYAG) after some 324,000 US citizens were affected.
The as yet unknown attackers exploited a known vulnerability in a plugin for vBulletin on the Filters Fast web forum to gain initial compromise through a SQL injection attack, according to testimony (PDF) by investigators working for the NYAG.
According to a statement on the settlement, attackers collected sensitive customer information after compromising Filters Fast’s online checkout process. Harvested information included credit card holders’ names, billing addresses, expiration dates, and security codes.
Filters Fast had the opportunity to resolve the breach months before it was finally confirmed.
On February 25, 2020, a credit card payment system management company notified Filters Fast of links between purchases to its site and subsequent fraudulent transactions.
An internal investigation by Filters Fast at the time wrongly concluded there was no breach. It was only when further similar fraud pattern results came in May that an external forensics investigator was hired who belatedly confirmed the breach, and identified its cause as being a missed software patch.
The critical software update – available for three years prior – was only applied on July 10, 2020, at which point attackers were finally locked out of the system.
It was only in August 2020 – more than a year after the initial compromise of its systems and some six months after the first “common point of purchase notification” – that Filters Fast began notifying affected customers, who were offered apologies and 12 months identity protection services.
The Daily Swig contacted Filters Fast to comment on the settlement with New York state.
No word back as yet but we’ll update this story as and when more information comes to hand.