The Equifax breach took place in 2017, but even two years later it is still regarded as one of the worst of all time. The Equifax breach happened because the firm failed to patch a web server, which is itself a very basic error. But now a class action lawsuit shows that things were allegedly even worse.
Brace yourself, because this isn’t going to make pretty reading, especially if you’re a cybersecurity professional. According to the filing in the U.S. District Court for the Northern District of Georgia, Atlanta Division, Equifax was protecting sensitive personal information on a portal used to manage credit disputes with the username “admin.”
And if that wasn’t enough, the password protecting that data was probably the first one an attacker would guess: Yes that’s right, it was also “admin”, the lawsuit alleges.
The class action lawsuit calls this “a sure-fire way to get hacked.”
But that is not all. The lawsuit also points out that Equifax was storing unencrypted user data on a public facing server–so it could have been viewed by any attacker who chose to compromise it. Meanwhile, Equifax didn’t encrypt its mobile applications either–and when it did encrypt data, it left the encryption keys on the same public facing servers.
The Equifax breach fallout
The Equifax breach in 2017 exposed the sensitive information including social security numbers and personal addresses of 147 million people across the world. In July this year, Equifax got fined $700 million for the hack, with $425 million of that due to go into a fund to compensate affected customers.
The Equifax cash payment is capped at a hefty $20,000, but it’s looking increasingly unlikely that many people will even get the lower $125, after the FTC later confirmed that Equifax couldn’t, in fact, afford the promised payout. Instead, affected customers have been offered free credit monitoring–probably something you wouldn’t trust Equifax with given what happened.
Even two years later, details about the Equifax mega breach continue to emerge. If one thing can be learnt by other firms, it’s that poor cybersecurity practices can be truly devastating to your customers, your future revenue and ultimately your brand.