Equifax used default 'admin' user name and password to secure hacked portal

Lawsuit claims that Equifax IT security was negligent and that the company made 'false and misleading statements' about its IT security and data protection compliance

Equifax staffers used the default user name and password - ‘admin' - to secure a portal containing sensitive customer information.

That's according to a class-action lawsuit launched against the company in the US, claiming securities fraud by the company over the 2017 data breach that spilled information on around 148 million accounts of people in the US, Canada and the UK.

Equifax employed the user name ‘admin' and the password ‘admin' to protect a portal used to manage credit disputes

"This case arises out of a massive data breach incident… The plaintiff alleges that the defendants committed fraud in connection with the data breach that caused a loss in value of [Equifax shares]," claims the lawsuit.

It goes on to claim that the company made "multiple false and misleading statements and omissions about the sensitive personal information in Equifax's custody, the vulnerability of its internal systems to cyber attack, and its compliance with data protection laws and cyber security best practices".

It goes on to claim that the company failed to take even "the most basic precautions to protect its computer systems from hackers".

Equifax's authentication measures were insufficient to protect the sensitive personal data in its custody

These include failing to ensure staff used adequate authentication measures to secure systems. "Equifax's authentication measures were insufficient to protect the sensitive personal data in its custody from unauthorised access", the report continues.

"These mechanisms included weak passwords and security questions. For example, Equifax relied upon four-digit PINs derived from [US] Social Security numbers and birthdays to guard personal information, despite the fact that these passwords had already been compromised in previous breaches.

"Furthermore, Equifax employed the user name ‘admin' and the password ‘admin' to protect a portal used to manage credit disputes… This portal contained a vast trove of personal information."

A breach as large-scale as this would not have occurred if Equifax had implemented better monitoring systems

The company also failed to adequately monitor its networks and systems, the lawsuit adds, failing to set-up mechanisms to maintain activity logs, processes for tracking malicious scripts and implementing file integrity monitoring.

"A breach as large-scale as this would not have occurred if Equifax had implemented better monitoring systems," it continues.

The lawsuit takes advantage of claims made after the breach was discovered and admitted, both in formal reports and by security specialists and commentators.

A US Congressional report published in December 2018 accused the company of failing to implement "adequate security" and added that the data breach was "entirely preventable".

Furthermore, Equifax security staff failed to notice the exfiltration of data because the device used to monitor network traffic had been inactive for 19 months due to an expired security certificate, the Congressional report added.

Earlier this year, the organisation agreed to pay up to $700 million in fines and compensation in a settlement with US regulators over the 2017 security breach.