Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Businesses Security The Internet IT

Equifax Used 'admin' as Username and Password for Sensitive Data: Lawsuit (yahoo.com) 59

A user writes: When it comes to using strong username and passwords for administrative purposes let alone customer facing portals, Equifax appears to have dropped the ball. Equifax used the word "admin" as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia. The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail. "Equifax employed the username 'admin' and the password 'admin' to protect a portal used to manage credit disputes, a password that 'is a surefire way to get hacked,'" the lawsuit reads. The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website. When Equifax, one of the three largest consumer credit reporting agencies, did encrypt data, the lawsuit alleges, "it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data." The class-action suit consolidated 373 previous lawsuits into one. Unlike other lawsuits against Equifax, these don't come from wronged consumers, but rather shareholders that allege the company didn't adequately disclose risks or its security practices.
This discussion has been archived. No new comments can be posted.

Equifax Used 'admin' as Username and Password for Sensitive Data: Lawsuit

Comments Filter:
  • by Oswald McWeany ( 2428506 ) on Monday October 21, 2019 @11:16AM (#59330962)

    You mean I shouldn't use Admin for all my passwords?

  • Leaving the default password on is stupid, but it's also stupid to not have a firewall on the way for sensitive systems.

    Seems like the credit reporting sites have too much valuable information, and only respond to laws when being called stupid. Congress, please require some basic IT standards on them.

    • by Shaitan ( 22585 )

      "Leaving the default password on is stupid, but it's also stupid to not have a firewall on the way for sensitive systems."

      Did they not? A lot of places have unpatched systems, default credentials, self-signed or expired certs, etc somewhere but generally it is internal stuff that is buried deep under many layers of security and usually off on some management vlan somewhere at least.

    • by Jaime2 ( 824950 )

      Consider before calling someone stupid.

      Big companies like Equifax have thousands of employees and thousands of "secrets" (pieces of information that must be held confidential e.g. passwords, private keys, etc.). The good guys have to be right every time and the bad guys only have to win once. This isn't so much a "stupid move" as a failure of process. In order to make sure all devices are secured properly, you need to be consistent and thorough, not brilliant. There's always a weird case where some device i

  • "And somebody change the combination of my suitcase!"

    -- Lord Helmet

  • Maybe gross stupidity?

    I'm a firm believer in "don't attribute to malice which can be sufficiently explained with stupidity", but at this level, that can't even be stupidity anymore. The average 3 year old knows better than to do that. You could literally run this company better by putting a bunch of hobos at the helm.

    • Hobos are better than the average credit agency employee. Think about it, a hobo will accept whatever leftovers society will give them. Credit agency employees feel entitled to a job and good pay for a service no consumer genuinely consents, but is rather coerced into providing information and then paying fees for the privilege of using their own data when they want to make certain purchases.
    • Comment removed based on user account deletion
    • Even the littlest one?
    • It's stupidity. Public-facing, admin:admin, didn't bother encrypting in transit. Reckless and negligent.

      I protest the "unencrypted servers" horse shit, however. The data at rest, if encrypted, would be accessible by all these tools. Authentication would allow you to read it, and a lack of authentication would prevent you from doing so. Encryption doesn't help here; you encrypt data on mobile devices (laptops, phones, etc.) because they're actually likely to be stolen.

      Yes, I know, you can theoretica

    • by hey! ( 33014 )

      There was a time not so long ago when a surgeon would scrub, stroll into the operating room and start cutting way. As a result doctors, every one of whom was smart enough to make it through medical school and surgical residency, would occasionally amputate the wrong limb or perform a procedure on the wrong patient.

      These days surgical teams are supposed to go through a standard protocol, verifying they've got the right patient and are doing the right procedure. There was resistance to this originally becau

    • No self-respecting hobo would ever accept work of that kind.

    • by gweihir ( 88907 )

      On executive level, hiring somebody that is grossly incompetent, is intent. Or at least it should count as it.

  • by Ronin Developer ( 67677 ) on Monday October 21, 2019 @11:46AM (#59331126)

    But, for a few bucks to our coffers, we'll boost your credit rating.

    WTF is up with that? You can PAY to have your credit rating raised? How does that ACTUALLY improve your credit worthiness?

    • by ceoyoyo ( 59147 )

      Seems reasonable. It's a revenue stream. The key is to balance your customers: the people who pay you for accurate credit reporting, and the ones who pay you for inaccurate credit reporting.

      • by Anonymous Coward

        Does it? The customers of CRAs are financial organisations, not people. Those financial organisations depend on the accuracy of credit reports to be able to determine whether it's safe to lend or not. If a CRA will fudge a credit report to allow better scores then it's entire existence is pointless.

        That said, whilst I'm willing to be proven wrong, I don't think such a service exists. There are services that tell you how you can improve your score, but I don't think there are any that actually improve your s

  • Buzzfeed reporter

    lol

  • Are the banking credentials Equifax uses for their business accounts set to admin as well? Asking for a friend.
  • Their web site interface for freezing/unfreezing credit has been broken for more than a year as well.

    Whenever I try to freeze my credit, the operation results in a server-side error.

    Transunion and Experian have never been a problem for me.

  • Everybody knows that security settings in modern browsers automatically mask your actual password in textarea posts. If you type in your password, it will show as stars
    ********** see!
    • by anegg ( 1390659 )

      Everybody knows that security settings in modern browsers automatically mask your actual password in textarea posts. If you type in your password, it will show as stars ********** see!

      My passwords are all actually "**********". Everyone who sees them thinks that they have been blanked out!

  • sound like some default password!

  • Just opt out of that system. Oh, wait....
  • Comment removed based on user account deletion
  • And poor security for most organizations doesn't hurt the organization. You are Equifax's product. So they leak a few million reports, it doesn't cost them a penny unless their paying customers discover the security flaw and go to the trouble and risk of getting the information for free. We are also talking about complicated systems that are very much ad hoc. Just add a new feature or if something is broken just fix it. Even if a system starts secure someone at some point will miss configure it, or put
  • I want to see a big fat class action lawsuit with a judgement that bankrupts these idiots.
  • Comment removed based on user account deletion
  • I was taught Cockup before Conspiracy.

    With all these "breaches" and "misconfigurations" I do actively wonder - have we crossed over from Cockups to Conspiracy?

    A convenient way to release a trove of info would be to intentionally offer it the most trivial of security. Makes you wonder about all those databases found in unsecured AWS buckets.

  • So, who is taking bets that the shareholders give a bigger judgment than the actual victims whose personal information was disclosed?

    I mean... if it takes a one-two combo to punish the company properly---a public class action suit for the victims and a shareholder suit for the irresponsibility---I'm all for watching the courtroom drama with a bowl of popcorn.

    Although, I'll have that "sadder but wiser" feeling at the end if the shareholders get a bigger payout than the public.

  • ......cue facepalm.... https://www.youtube.com/watch?... [youtube.com]

  • Degree in Music but has a vagina. Check.

  • I am simply amazed at the ineptitude exhibited by Equafax. They are not adhering to even minimal industry-wide security standards, yet they hold some of the most valuable information on the Net. Their lack of patching has led the the identify theft of too many people to count, and now we're being told that they are using username / password combinations that 5th graders wouldn't use. These credit rating companies need tighter regulations concerning privacy (i.e. something similar to HIPPA) and they need t
  • Everything important is secured under the BOFH user id.

  • ...had the username SYSTEM and the password was ADMIN.

    That was apparently the defaul, because we used it everywhere.

    You were expected to login, make a user account, and log out of the admin account and into your newly created one.

    This was in the 70's. :)

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...