Equifax Used Default ‘Admin’ Password, Lawsuit Alleges

Lawsuit alleges Equifax failed to take the most basic security precautions that resulted in highly damaging breach in 2017

Credit checking specialist Equifax is facing more legal headaches after a lawsuit alleged multiple corporate failings and poor practices by its security team.

The ‘securities fraud class action’ lawsuit, filed in the Northern District of Georgia (Equifax has its headquarters in Georgia), alleges that Equifax “failed to take some of the most basic precautions to protect its computer systems from hackers.”

In July it was revealed that Equifax would pay an eye watering data breach settlement of around $700m to US regulators and US states.

Poor practices

Equifax revealed a highly damaging breach to the world in September 2017.

That breach resulted in the theft of the data belonging to 143 million US consumers (and 15.2 million British citizens).

Data stolen included names, addresses, social security numbers, and dates of birth.

What made the Equifax breach so damaging, was that the firm had discovered the breach back in July 2017 but waited 40 days before telling the world.

Even worse, Equifax’s IT team had known about the about the vulnerability exploited by the hackers as far back as March 2017, after a security researcher had warned the firm about its vulnerability to a cyberattack months before it actually suffered the breach.

“Equifax’s cybersecurity was dangerously deficient,” the lawsuit alleges. “The Data Breach, according to the Plaintiff, was the inevitable result of widespread shortcomings in Equifax’s data security systems.”

“According to the Plaintiff’s allegations, Equifax’s data protection measures were’grossly inadequate,’ ‘failed to meet the most basic industry standards,’ and ‘ran afoul of the well-established mandates of applicable data protection laws’” it said.

The lawsuit alleged that Equifax failed to implement proper patching protocols; failed to encrypt sensitive information; stored sensitive data on public-facing servers; utilised inadequate network monitoring practices; and utilised obsolete software.

“Furthermore, Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes,” the lawsuit alleged.

The suit also alleges that Equifax failed to implement other basic security measures, such as activity logs, tools to defend against malicious scripts, and multi-factor authentication.

Security experts were quick to comment on the apparent lose security practices at the firm.

“Even in 2017, using ‘admin’ as a password was comical,” said Jake Moore, cybersecurity specialist at ESET. “Sadly though, so many still thought they were either invincible, not a target, or simply unaware of potential cyber threats.”

“No one should ever believe they are unhackable and, in 2019, there is no excuse not to understand the threat landscape,” said Moore. “Not only can large companies be a huge target for cyber criminals, but increasingly so can SMBs, or anyone else for that matter.”

“Password managers are steadily increasing in popularity, but there’s still a long way to go in educating people about their sheer importance,” Moore said. “The real test is to see if other companies around the world have seen this guinea pig test, and hopefully those who followed suit have taken note and changed their practices and protocols.”

Equifax breach

The fallout from the 2017 Equifax breach triggered multiple investigations across the world, and the credit monitoring firm was hauled up before the US Congress.

A US Congressional report that was published in December 2018 accused Equifax of failing to implement ‘adequate security’. It also concluded that the data breach was ‘entirely preventable’.

Former CEO Richard Smith had faced a serious grilling from US Senators. This was after he had already retired from the firm after the breach became public.

In the summer of 2019, Jun Ying, the former Chief Information Officer CIO of Equifax was sentenced to four months in a federal prison for insider trading.

Ying had sold off his stock options before the 2017 data breach became public knowledge.

Do you know all about security? Try our quiz!