Equifax (EFX) used the word “admin” as both password and username for a portal that contained sensitive information, according to a class-action lawsuit filed in federal court in the Northern District of Georgia.
The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail.
“Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” the lawsuit reads.
The lawsuit also notes that Equifax admitted using unencrypted servers to store sensitive personal information and had it as a public-facing website.
When Equifax, one of the three largest consumer credit reporting agencies, did encrypt data, the lawsuit alleges, “it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”
The class-action suit consolidated 373 previous lawsuits into one. Unlike other lawsuits against Equifax, these don’t come from wronged consumers, but rather shareholders that allege the company didn’t adequately disclose risks or its security practices.
The details from his Equifax class-action suit are BONKERShttp://securities.stanford.edu/filings-documents/1063/EI00_15/2019128_r01x_17CV03463.pdf …
In March 2018, Equifax filed a motion to dismiss the case.
“Plaintiff’s Complaint is devoid of facts even plausibly suggesting that Defendants were aware of any information contradicting their public statements when made,” the motion reads. “Instead, Plaintiff’s claims hang almost entirely on the unsupported and implausible notion that Defendants knowingly and deliberately failed to patch the software vulnerability at issue in the Cybersecurity Incident—at no conceivable benefit to themselves.”
The motion to dismiss was rejected by the court in January 2019.
“Equifax’s cybersecurity was dangerously deficient,” the court said. “The company relied on a single individual to manually implement its patching process across its entire network.”
The class action is pending certification.
Equifax did not respond to a request for comment by the time of publication.