How would you secure a portal containing valuable, personal finance information of 148 million accounts of customers spread across the US, Canada and the UK? Equifax employees chose default and used ‘admin' as username and password, said the the class-action lawsuit launched against the company in the US.
"Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that is a surefire way to get hacked," said the class-action lawsuit document.
The 2017 data breach at Equifax gave away the details of 148 million accounts, with the US Federal Trade Commission (FTC) admitting that almost anyone who had a credit profile in America was probably exposed.
"If you have a credit report, there’s a good chance that you’re one of the 148 million American consumers whose sensitive personal information was exposed in a data breach at Equifax, one of the nation’s three major credit reporting agencies," said attorney Seena Gressin in FTC’s Equifax damage assessment report.
"According to cyber-security experts, these shortcomings demonstrated poor security policy and a lack of due diligence," said the lawsuit document.
"Equifax’s authentication practices fell short of the data security standards, which recommend the use of multi-factor authentication. Equifax also failed to adequately monitor its networks and systems, which greatly exacerbated the fallout of the data breach," it added.
"Had the Equifax breach been the result of an extremely smart and motivated hacker doing something amazing to get the data, that would have been one thing. But since it’s the case of the target ignoring the bare-minimum of best practices and paying a significant price for the oversight, what happened is alarming," said Todd Peterson, IAM evangelist at One Identity.
"In the case of Equifax, simply doing what’s right, which would have taken about one minute to implement, would have saved the company from a world of trouble," he added.
Equifax failed to implement effective logging techniques, allowing hackers to continuously access sensitive personal data of its users for over 75 days, according to the lawsuit.
"Equifax’s failure to utilise proper network monitoring, one of the most basic cyber-security practices, demonstrates the fundamental deficiencies in its networks."
These allegations reveal that the door was left wide open for hackers, commented Ray Walsh, security and privacy advocate at ProPrivacy.com.
"If these allegations are true, it would appear that Equifax wasn't strictly ‘hacked’ - but rather left the door right open for anybody to walk in. It is becoming clear that the breach that occurred in 2017 would not have been as severe, and could potentially have been completely avoided if Equifax had engaged in even the most basic security for its systems," he said.
Noting that there was no effort to change the log-in credentials from ‘admin’, OneLogin solution engineering VP Stuart Sharp commented that humans are still the weakest link in cyber-security defence strategies.
"Organisations are still too casual with sensitive data. IT departments need to implement processes to enforce the change of default passwords and blacklist the use of commonly used passwords. Another solution is to implement MFA. If MFA has been implemented, then it doesn’t matter if your username and password have been compromised," he said.
However, the issue is also of the difficulty in keeping track of every system and its security posture, noted Hugo van den Toorn, offensive security manager at Outpost24.
"Although ‘admin’ as username and password sounds too easy for some, there is a reason that on every pen test we still try to login with default and easy to guess credentials. It’s simple and still works from time to time," he said.
Security measures should be in by design for systems used to access, alter, transact or otherwise interact with sensitive data, he explained.
"Whenever a system is subjected to change, or compliance changes the effectiveness of the security measures as a whole should be (re)assessed. When a system is impacted by a breach, the same applies. When something happens, go back and subjectively assess if you are still doing the right thing. This should include reviewing the password policy, access controls and data classification which in this case should all cover the fact that ‘admin’ is not a strong password."
In July 2019, Equifax agreed to pay approximately US$650 million (£500 million) as part of the settlement with the FTC on the data breach, giving US$ 125 per affected consumer. Two months later, the company added more terms and conditions to its claims process, offering free credit monitoring for up to 10 years instead, reported CBS News.