You say, WTF?! Forgetting the major Equifax data breach of 2017, which revealed the sensitive personal information of about 150 million American citizens, is not easy. Although Equifax has already resolved the violation with the FTC (up to around $700 million), the credit agency was hit with another lawsuit alleging that the firm used the same “admin” key during the infringement.
The complaint in question was brought in Georgia against Equifax and is known as a case of “securities fraud class action.” The complainants claim that the use of the default “admin” username and password by Equifax has shown poor security policy and a “lack of due diligence.”
These credentials were allegedly used to protect a company portal to access credit disputes (which contained a “vast trove” of personal information). If that statement is true, it’s going to be hard for Equifax to contend against— we’re not sure how the company might be able to spin those login details as protection appropriate.
The suit also claims that Equifax has failed to implement other basic security measures, such as activity logs, defense tools against malicious scripts, and multi-factor authentication. In addition, Equifax reportedly stored “sensitive personal information” in plaintext form on web portals and databases that are “public-facing.”
…Equifax allegedly stored “sensitive personal information” in plaintext form on “public-facing” web portals and servers.
Even if Equifax had followed the principles and methods of security laid down in this lawsuit, it is unclear whether or not the infringement could have been completely prevented. Nonetheless, in this case, according to the complainants, the safety vulnerabilities of Equifax made the situation worse, at least.
However, one thing we should make clear is that all the claims made in this suit are merely allegations and should not just be taken as a gospel. Before we can draw any firm conclusions, we will have to wait for the suit to run its course.
For now, the judge presiding over this case has allowed it to move forward against Equifax and former CEO Richard Smith, but the court has denied complainants the ability to follow John Gamble, Rodolfo Ploder, and Jeffrey Dodge (other former or current leadership team members of Equifax).