Cybersecurity incident – US based website hosting company, IOFORT (https://iofort.com/) has reportedly stolen the sensitive personal identifiable information ( PII ) from two of the Australian based customers.
IOFORT data centers are located at Los Angeles, CA; Atlanta, GA; and Rotterdam, NL.
Security researchers have discovered that this massive data theft and cyber breach involved Atlanta, GA, USA based datacenter of IOFORT.
This severe cybercrime incident has threatened the privacy of millions of individuals as the data stolen by IOFORT contained their personal information including names, date of birth, passport details, bank details, verifiable academic documents, driving licenses, and address proofs.
This has also been notified that IOFORT is still in possession of this data and has suspended the client accounts of two Australian companies abruptly, threatening them of the dire consequences.
In response to the support and backup requests, IOFORT representatives threatened the customer company officials and completely refused to hand over their data to the relevant party.
This data also has potentially compromised usernames and passwords connected with WordPress, SQL and other associated technologies, which were used by these two Australian companies to build their websites.
It is not known, however, if IOFORT has also stolen data from their other customers around the world.
Even after a number of attempts IOFORT.com team remains unreachable and unresponsive for any comments.
Throughout their websites and social media channels there is no company owner, organization structure or names of any employee is mentioned.
They seem hide the identity of their company directors, executives or employee, so the regulatory authorities or enforcement agencies can not do an investigation easily.
Based on the incident described above other IOFORT customers are advised to check their websites and database for a potential data theft and cybercrime.
It is also unclear how long IOFORT has been involved in data theft and cybercrime related activities.
If a cybercriminal had access to this crucial information, it could potentially compromise thousands of business websites and millions of business user accounts as well as their company and personal information.
As a response to the threat posed by these two Australian companies, a formal complaint is being filed with relevant cybercrime regulatory agencies and data protection authorities including:
- FBI’s Internet Crime Complaint Center – https://www.ic3.gov/ and https://tips.fbi.gov/
- National Cyber Investigative Joint Task Force – https://www.fbi.gov/investigate/cyber/national-cyber-investigative-joint-task-force
As the documents to support this claim, these two Australian companies are also submitting their service agreements, invoices, payment receipts, account details, hosting account details, support request details and all the email communications they had with IOFORT teams leading to the data theft and subsequent abrupt suspension of their client accounts on IOFORT’s website hosting platform.
This matter raises serious danger as the data of these two Australian companies was with IOFORT for last 3+ years.
While it is unusual, but it will surely tarnish the image of whole website hosting provider community including WHMCS Limited (https://www.whmcs.com/) which IOFORT used as an affiliate to provide website hosting services.
Industry leading information security researchers also reviewed the legal documentation provided on IOFORT terms of service (https://iofort.com/terms/) and privacy policy (https://iofort.com/privacy) pages.
They indicated that these legal clauses were not in compliance with the below mentioned data protection laws;
- GDPR (General Data Protection Regulation)
- California Privacy Protection Act (CalOPPA)
- California Consumer Privacy Act (CCPA)
- Children’s Online Privacy Protection Act (COPPA)
- The Article 29 Data Protection Working Party (‘WP29’)
- Art. 9 GDPR Processing of special categories of personal data
- The Washington Privacy Act, Senate Bill 6281 (“WPA”)
- New York Privacy Act (S5642) (“NYPA”)
IOFORT customers and affiliates are immediately suggested to verify for the data breach and cyber security related incidents and their company’s data.
Faced by this data theft incident, IOFORT.com has allegedely hired an online review manegement agency to remove their customer review from various websites in a bid to fix their reputation.
