New York Attorney General Letitia James today announced a $200,000 agreement with Filters Fast that resolves a 2019 data breach that compromised the personal information of approximately 320,000 consumers nationwide, including approximately 16,500 in New York state. Filters Fast — a popular online water filtration retailer — experienced a data breach in which attackers collected sensitive customer information during Filters Fast’s online checkout process. The compromised information included credit card holders’ names, billing addresses, expiration dates, and security codes. The website was compromised for close to a year — affecting purchases made on the site between July 16, 2019, and July 10, 2020.
“New Yorkers should never have to worry that their personal information will be attacked during a routine online checkout process,” said Attorney General James. “Filters Fast fell far short of its responsibilities of protecting its customers against attacks on its online platform, and of promptly informing customers of any such attack so that they could take the necessary steps to protect their identities. Online information security has been especially critical during the COVID-19 pandemic, during which New Yorkers have increasingly relied on online retailers, such as Filters Fast, to purchase basic household goods. My office is committed to protecting consumers, which is why we will continue to use every available tool to hold companies accountable when they fail to safeguard personal information.”
On July 15, 2019, attacker(s) exploited a known vulnerability in Filters Fast’s online checkout process. The attacker(s) proceeded to collect the names, billing addresses, expiration dates, and security codes of customers who purchased products on Filters Fast’s website via credit card. On February 25, 2020, a credit card payment system management company notified Filters Fast that the online retailer’s website had been flagged as a common point of purchase for unauthorized purchases on customers’ credit cards. Such notifications are usually received by merchants who have an ongoing compromise.
Filters Fast personnel conducted an internal investigation and erroneously concluded that there was no breach. On May 13, 2020 — after additional reports of compromise — a credit card company requested that Filters Fast retain the services of a forensic investigator to formally audit its systems. After an initial report failing to identify a breach, the investigator produced a report, in late July, that discovered conclusive evidence of a breach. The investigator noted that a software patch had been issued to fix the problem three years before the company was attacked. The website was finally patched on July 10, 2020.
In total, the breach affected approximately 324,000 U.S. residents, and, more specifically, 16,618 New York residents. On August 14, 2020 — over a year after the breach occurred, and nearly six months after Filters Fast had received its first common point of purchase notification — the company began notifying affected customers whose credit card information had been accessed during the breach. With the notification, the company offered to provide affected customers with up to 12 months of identity theft protection services.
As part of today’s agreement, Filters Fast will make a series of improvements designed to protect consumer personal information from cyberattacks in the future, including:
- Creating a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regular reporting to the company's CEO concerning security risks;
- Designing an incident response and data breach notification plan that encompasses preparation, detection and analysis, containment, eradication, and recovery;
- Adopting personal information safeguards and controls — including encryption, segmentation, penetration testing, logging and monitoring, virus protection policy, custom application code change reviews, authentication policy and procedures, management of service providers, and patch management; and
- Ensuring that third-party security assessments take place over the next five years.
Pursuant to the agreement, Filters Fast has agreed to pay the state of New York $200,000, $100,000 of which is suspended, but that will be immediately due if Filters Fast materially misstated its financial condition.
This matter was handled by Deputy Bureau Chief Clark Russell, Internet and Technology Analyst Joe Graham, and Volunteer Assistant Attorney General Anton Nemirovski — all of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.