“Grossly inadequate” data protection measures that “failed to meet even the most basic industry standards”, and the use of the username and password ‘admin’ to protect a portal used to manage credit disputes are just a few of the accusations levelled at troubled credit services provider Equifax.
These accusations are from a securities fraud class action lawsuit over the September 2017 breach that saw the personal details of millions of users compromised. The lawsuit was filed with the Northern District Court of Georgia (Atlanta division) in the US in January. It details a myriad of dangerous cyber security deficiencies at Equifax which led to the 2017 exposure of the personal data of millions.
Subsequent repercussions have included fines of up to $700m levied in the US, and £500,000 in the UK, the highest possible fine pre-GDPR, as well as severe damage to Equifax’s reputation.
The lawsuit details how the data breach was the “inevitable result of widespread shortcomings in Equifax’s data security systems” that essentially ignored basic cyber security hygiene altogether.
Besides the use of laughably insecure usernames and passwords, these include failure to implement patching protocols, with one ill-informed individual tasked with managing patching across its entire network; failure to encrypt sensitive data, instead storing it in plain text on public-accessible servers; inadequate network monitoring and threat alerting practice; inadequate authentication measures; and use of obsolete software.
“Overall, according to cyber security experts, a ‘catastrophic breach of Equifax’s systems was inevitable because of systemic organisational disregard for cyber security and cyber-hygiene best practices’,” the lawsuit said. The failures also exacerbated the impact of the breach.
Passwords no longer appropriate
OneLogin vice-president of solution engineering, Stuart Sharp, said the latest fall-out from the two-year-old breach demonstrated yet again that the idea that passwords are an appropriate security measure needed to change.
“Humans are the still weakest link in our cyber security defence strategies, and the fact that nobody thought to change the default ‘admin’ username and password is another reason why passwords alone are ineffective,” said Sharp.
“Organisations are still too casual with sensitive data. IT departments need to implement processes to enforce the change of default passwords and blacklist the use of commonly used passwords. Another solution is to implement MFA [multifactor authentication]. If MFA has been implemented, then it doesn’t matter if your username and password have been compromised.”
This article is based on one that originally appeared in Computer Weekly.