21/Oct/2019
Consumer credit reporting agency Equifax used the word “admin” as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia, USA. The ongoing lawsuit, which was filed after the breach, went viral on Twitter last Friday, October 18 after Buzzfeed reporter Jane Lytvynenko came across the detail.
According to the lawsuit: “Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked.’”
The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website.
When Equifax – which is one of the three largest consumer credit reporting agencies in the US – did encrypt data, the lawsuit alleges, “it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”
The class-action suit consolidated 373 previous lawsuits into one. Unlike other lawsuits against Equifax, these suits don’t come from wronged consumers, but rather shareholders who allege that the company didn’t adequately disclose risks or its security practices.
The lawsuit was filed by people who bought shares in Equifax between February 25, 2016 and September 15, 2017. In September 2017 Equifax announced a data breach that exposed the personal information of 147 million people. The company settled with the FTC for $425 million in September 2019.
The lawsuit claims that damages from the fact that the investments lost value due to “multiple false or misleading statements and omissions about the sensitive personal information in Equifax’s custody, the vulnerability of its internal systems to cyberattack, and its compliance with data protection laws and cybersecurity best practices.”
In March 2018, Equifax filed a motion to dismiss the case.
“The Plaintiff’s Complaint is devoid of facts even plausibly suggesting that Defendants were aware of any information contradicting their public statements when made,” the motion reads. “Instead, Plaintiff’s claims hang almost entirely on the unsupported and implausible notion that Defendants knowingly and deliberately failed to patch the software vulnerability at issue in the Cybersecurity Incident—at no conceivable benefit to themselves.”
The motion to dismiss was rejected by the court in January 2019.
“Equifax’s cybersecurity was dangerously deficient,” the court said. “The companied relied on a single individual to manually implement its patching process across its entire network.”
The class action is pending certification.
This article is based on a current report on Yahoo! Finance.
