EQUIFAX STAFFERS used the default 'admin' username and password to secure a portal containing sensitive customer information.
That's according to a class-action lawsuit launched against the company in the US, claiming securities fraud by the company over the 2017 data breach that spilled information on around 148 million accounts of people in the US, Canada and the UK.
"This case arises out of a massive data breach incident. The plaintiff alleges that the defendants committed fraud in connection with the data breach that caused a loss in value of [Equifax shares]," claims the lawsuit.
It alleges the company made "multiple false and misleading statements and omissions about the sensitive personal information in Equifax's custody, the vulnerability of its internal systems to cyber attack, and its compliance with data protection laws and cybersecurity best practices".
The lawsuit goes on to claim that the company failed to take even "the most basic precautions to protect its computer systems from hackers".
These include failing to ensure staff used adequate authentication measures to secure systems. "Equifax's authentication measures were insufficient to protect the sensitive personal data in its custody from unauthorised access", the report continues.
"These mechanisms included weak passwords and security questions. For example, Equifax relied upon four-digit PINs derived from [US] Social Security numbers and birthdays to guard personal information, despite the fact that these passwords had already been compromised in previous breaches.
"Furthermore, Equifax employed the user name ‘admin' and the password 'admin' to protect a portal used to manage credit disputes. This portal contained a vast trove of personal information."
The company also failed to adequately monitor its networks and systems, the lawsuit adds, failing to set-up mechanisms to maintain activity logs, processes for tracking malicious scripts and implementing file integrity monitoring.
"A breach as large-scale as this would not have occurred if Equifax had implemented better monitoring systems," it continues.
The lawsuit takes advantage of claims made after the breach was discovered and admitted, both in formal reports and by security specialists and commentators.
A US Congressional report published in December 2018 accused the company of failing to implement "adequate security" and added that the data breach was "entirely preventable".
Furthermore, Equifax security staff failed to notice the exfiltration of data because the device used to monitor network traffic had been inactive for 19 months due to an expired security certificate. µ
Firm's first high-end speaker gets the thumbs up from us
Yes. Yes you can
A fantastic ultraportable that's almost devoid of innovation
Screen if you want to go faster