Water Filtration Retailer Settles Allegations Stemming from 2019 Data Breach

  • New York AG Letitia James reached a settlement with online water filtration retailer Filters Fast LLC to resolve allegations that it failed to protect customers’ payment card information in a 2019 data breach in violation of New York’s consumer protection laws.
  • According to the assurance of discontinuance, the AG’s office found that hackers exploited a known vulnerability in Filter Fast’s checkout process—for which a patch was available for years before the breach—to collect consumer payment information, and that the breach was not found and patched for more than a year after the original hack despite Filters Fast being warned of the breach by a payment system management company. The incident affected 324,000 customers, including approximately 16,500 New Yorkers.
  • Under the terms of the assurance of discontinuance, Filter Fast will pay $200,000 to the state—of which $100,000 is suspended due to Filter Fast’s financial condition—and improve its data security measures, including creating a comprehensive information security program and an incident response and data breach notification system, adopting personal information safeguards such as encryption, segmentation, and patch management, and obtaining third-party security assessments of its networks for the next five years, among other things.