Privacy & Information Security Law Blog

On May 18, 2021, New York Attorney General (“AG”) Letitia James announced a settlement agreement with Filters Fast LLC (“Filters Fast”) over a data breach that compromised personal information of approximately 324,000 consumers nationwide, including over 16,500 New York state residents. The breach affected purchases made on Filters Fast website for almost a year – from July 16, 2019 to July 10, 2020.

Filters Fast, an online air and water filter retailer, was notified by a credit card payment system management company on February 25, 2020 that its website had been flagged as a common point of purchase (“CPP”) for unauthorized credit card purchases. The CPP notification came seven months after an attacker exploited a known vulnerability in a plugin on the Filters Fast website that allowed the attacker to collect the names, billing addresses, expiration dates, validation codes and primary account numbers of customers who purchased products on the website via credit card.

After the CPP notification, Filters Fast conducted an internal investigation but found insufficient evidence of a breach. At the request of a payment card brand, Filters Fast eventually engaged an outside forensic investigator that initially also did not find evidence of a breach, but in late July 2020, discovered the plugin vulnerability. A software patch to fix the vulnerability had been issued three years prior to Filters Fast being attacked, but the company did not implement the patch until July 10, 2020.

Under the terms of the settlement, Filters Fast is required to pay the state of New York $200,000 ($100,000 of which is suspended on the condition that Filters Fast did not “materially misstate[]” its financial position). In addition, Filters Fast will be required to (1) execute and enforce systems and security measures to prevent future data breaches; (2) create a security program to ensure regular updates and reports to Filters Fast’s CEO; (3) execute an incident response and data breach notification plan to identify, contain, eradicate and recover from breaches; and (4) ensure that third-party security assessments take place over the next five years.

Attorney General James stated that the settlement exemplifies the New York AG’s dedication to protect online consumers and to “use every available tool to hold companies accountable when they fail to safeguard personal information.”

Read the settlement.