BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Why You Should Change How You Make Calls On Your iPhone
Jake Davis Shares The Secrets Behind Epic Wildlife Photography
Europol Speaks Out Against End-To-End Encryption
Revolutionary Insights From 'Secrets Of The Octopus'
Anonymous Hackers Threaten To Expose IDF’s ‘Top Secret Projects’
New Google Play Biometrics Warning Issued To All Android Users
Edit Story
ForbesInnovationCybersecurity
Editors' Pick

Equifax Lawsuit: ‘Admin’ As Password At Time Of 2017 Breach

Kate O'Flaherty
Senior Contributor
Opinions expressed by Forbes Contributors are their own.
Cybersecurity and privacy journalist
Following
This article is more than 4 years old.

The Equifax breach took place in 2017, but even two years later it is still regarded as one of the worst of all time. The Equifax breach happened because the firm failed to patch a web server, which is itself a very basic error. But now a class action lawsuit shows that things were allegedly even worse.

Brace yourself, because this isn’t going to make pretty reading, especially if you’re a cybersecurity professional. According to the filing in the U.S. District Court for the Northern District of Georgia, Atlanta Division, Equifax was protecting sensitive personal information on a portal used to manage credit disputes with the username “admin.” 

And if that wasn’t enough, the password protecting that data was probably the first one an attacker would guess: Yes that’s right, it was also “admin,” according to the lawsuit.

The class action lawsuit calls this “a sure-fire way to get hacked.”

But that is not all. The lawsuit also points out that Equifax was storing unencrypted user data on a public facing server–so it could have been viewed by any attacker who chose to compromise it. Meanwhile, Equifax didn’t encrypt its mobile applications either–and when it did encrypt data, it left the encryption keys on the same public facing servers.

The Equifax breach fallout

The Equifax breach in 2017 exposed the sensitive information including social security numbers and personal addresses of 147 million people across the world. In July this year, Equifax got fined $700 million for the hack, with $425 million of that due to go into a fund to compensate affected customers. 

MORE FROMFORBES ADVISOR

Best Travel Insurance Companies

By
Amy Danise
Editor

Best Covid-19 Travel Insurance Plans

By
Amy Danise
Editor

The Equifax cash payment is capped at a hefty $20,000, but it’s looking increasingly unlikely that many people will even get the lower $125, after the FTC later confirmed that Equifax couldn’t, in fact, afford the promised payout. Instead, affected customers have been offered free credit monitoring–probably something you wouldn’t trust Equifax with given what happened. 

Even two years later, details about the Equifax mega breach continue to emerge. If one thing can be learnt by other firms, it’s that poor cybersecurity practices can be truly devastating to your customers, your future revenue and ultimately your brand.

Follow me on Twitter or LinkedIn
Kate O'Flaherty
Kate O'Flaherty