Equifax Used ‘Admin’ as Username and Password Guarding Vital Data
Reports are circulating that Equifax had set ‘admin’ as both the default username and password credentials for a database that contained extremely sensitive information, according to details listed in a lawsuit filed in federal court in the Northern District of Georgia.
Buzzfeed reporter, Jane Lytvnenko first tweeted the revelation last week after she was privy to court documents. “Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that is ‘a surefire way to get hacked,’” the lawsuit read.
Details of the lawsuit also show that Equifax had admitted to utilising unencrypted serves to store vital data on its customers, and had a public-facing website which potentially gave hackers easy access to extremely sensitive data that it was required to keep secure.
The lawsuit alleges that Equifax, one of the US’ largest credit reporting agencies did in fact encrypt the data, “it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”
According to Yahoo Finance’s Ethan Wolff-Mann, “the class-action suit consolidated 373 previous lawsuits into one. Unlike other lawsuits against Equifax, these don’t come from wronged consumers, but rather shareholders that allege the company didn’t adequately disclose risks or its security practices.”
Details in the filed lawsuit show that claimants were demanding damages due to the fact that “multiple false or misleading statements and omissions about the sensitive personal information in Equifax’s custody, the vulnerability of its internal systems to cyberattack, and its compliance with data protection laws and cybersecurity best practices.”
Early last year, Equifax filed a motion to dismiss the case, stating that “plaintiff’s complaint is devoid of facts even plausibly that Defendants were aware of any information contradicting their public statements when made… Instead, Plaintiff’s claims hang almost entirely on supported and implausible notion that Defendants knowingly and deliberately failed to patch the software vulnerability at issue in the Cybersecurity Incident - at no conceivable benefit to themselves.”
The motion was rejected by the court in January 2019, who stated that “Equifax’s cybersecurity was dangerously deficient,” adding that due to the fact that “the company relied on a single individual to manually implement its patching process across its entire network,” it was lacking in terms of adequate cybersecurity processes to protect data stored on its servers.
Earlier this year we reported that Equifax reached a settlement with the US Federal Trade Commission (FTC) in the aftermath of a 2017 data breach that saw hackers gain access to the personal and financial information of as many as 150 million Americans.