New York AG quickly settles for data breaches with filters

On May 18, 2021, New York Attorney General (“AG”) Letitia James announced a settlement agreement with Filters Fast LLC (“Filters Fast”) over a data breach involving the personal information of approximately 324,000 consumers nationwide, including over 16,500 New York, residents of the state were compromised. The breach involved purchases on the Filters Fast website for almost a year – from July 16, 2019 to July 10, 2020.

Filters Fast, an online air and water filter retailer, was notified on February 25, 2020 by a credit card payment system management company that its website has been flagged as a general point of sale (“CPP”) for unauthorized credit card purchases. The CPP notification came seven months after an attacker exploited a known vulnerability in a plugin on the Filters Fast website that allowed the attacker to collect the names, billing addresses, expiration dates, validation codes and primary account numbers from customers using the products Purchased on the site by credit card.

Following the CPP notification, Filters Fast conducted an internal investigation but found insufficient evidence of a violation. At the request of a payment card brand, Filters Fast finally hired an external forensic investigator who initially also found no evidence of a violation, but discovered the plug-in vulnerability at the end of July 2020. A software patch to fix the vulnerability was released three years before the attack on Filters Fast, but it was not implemented until July 10, 2020.

Under the terms of the settlement, Filters Fast is required to pay $ 200,000 to New York State (of which $ 100,000 is suspended on condition that Filters Fast has not made any “material misrepresentation”).[]“Its financial position). In addition, Filters Fast must (1) implement and enforce systems and security measures to prevent future data breaches; (2) establish a security program to ensure regular updates and reports to the Filters Fast CEO; (3) implement an incident response and data breach notification plan to identify, contain, remediate, and recover from breaches; and (4) ensure that third party safety assessments are conducted for the next five years.

Attorney General James said the comparison is an example of New York AG’s commitment to protecting online consumers and “using every tool available to hold companies accountable when they fail to protect personal information.”

Read the settlement.

Comments are closed.