A lawsuit against US Credit Rating Company Equifax relating to the massive 2017 hack alleges that the breaching of Equifax’s systems was “inevitable because of systemic organisational disregard for cybersecurity and cyber-hygiene best practices.”
What Happened
Back in September 2017, US Credit Rating Company Equifax was hacked and, in one of the largest recorded data breaches in history, an estimated 148 million customer details stolen, 44 million of which are believed to have come from UK customers. Details stolen in the attack included names, US social security numbers, dates of birth, addresses, driver’s license details, and around 209,000 credit card numbers.
Hackers got in through a vulnerability in the website and Equifax was reported to have known about the attack 40 days before informing the public that it had happened. Another aspect of the case that caused outrage at the time was the fact that three senior executives at the company were believed to have sold-off their shares worth almost £1.4m before the breach was publicly announced.
The Lawsuit
The lawsuit that was filed against Equifax with the Northern District Court of Georgia (Atlanta Division) in the US states that the breach was the “inevitable result of widespread shortcomings in Equifax’s data security systems”.
What Kind of Shortcomings?
The lawsuit alleges that Equifax’s data protection measures were “grossly inadequate,” and “failed to meet the most basic industry standards”. The lawsuit paints a picture of a company with a shockingly simplistic and risky approach to the protection of personal data. For example, it alleges that Equifax:
- Failed to implement proper patching protocols and relied upon one individual to manually implement its patching process across its entire network.
- Didn’t encrypt sensitive information and instead, stored in plain-text, making it easy for unauthorised users to read and misuse.
- Didn’t encrypt mobile applications, meaning that it failed to encrypt data being transmitted over the internet.
- Stored sensitive data on public-facing servers and left the keys to unlocking the encryption on those same public-facing servers, making it easy to remove the encryption from any data.
- Used inadequate network monitoring practices and obsolete software.
- Failed to implement adequate authentication measures. This allegedly included using weak passwords and security questions.
Simple Usernames and Passwords Including ‘Admin’
One of the shocking accusations in the lawsuit relates to passwords. It highlights how the New York Stock Exchange-listed firm responsible for protecting the sensitive personal data of millions of people used four-digit pins (derived from Social Security numbers and birthdays) to guard personal information, even though these weak passwords had already been compromised in previous breaches.
Also, the lawsuit alleges that Equifax relied upon the username “admin” and the password “admin” to protect a portal used to manage credit disputes, thereby making it incredibly easy for any hackers to guess. For example, many penetration testing companies will use more obvious passwords such as ‘admin’ as a basic part of their testing of company systems.
Simple Passwords Still Widely Used
One of the main ways that we can all leave the door open to security breaches and hacks is by using simple, easy to guess passwords, and by sharing the same password between multiple websites and platforms.
For example, a study by the UK’s National Cyber Security Centre (NCSC) into breached passwords (in April this year) revealed that 123456 featured 23 million times, making it the most widely used password on breached accounts. The study, which analysed public databases of breached accounts, also found that the second-most popular string was 123456789, and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords.
What Does This Mean For Your Business?
The allegations about the apparent organisational disregard for cyber-security at such a big company and the use of simple, default-style passwords such as ‘Admin’ and leaving one person in charge of patching for the whole company are truly shocking. The case highlights how some organisations may be too casual about how they manage and protect sensitive data, which is a dangerous position to be in, particularly with the possible fines from GDPR. Since most companies still rely upon passwords for many important systems and tools, this case particularly highlights how IT departments may need to implement processes to make sure that default passwords are changed to more secure ones, and that commonly used passwords are blacklisted. Introducing multifactor authentication (MFA) also adds another important extra layer of security to password-based systems, and many companies are now seeking biometric authentication methods as a way of getting completely away from the whole risky password area.
The Equifax case also highlights how businesses shouldn’t treat database security any differently from other aspects of their cybersecurity, especially by not sharing admin passwords, and if sharing is necessary, by keeping track of who has those passwords and why. Using analytics on a database is also a way in which businesses can track when someone has got into a database using certain admin credentials.