Equifax Lawsuit: ‘Admin’ Was Used as Login Credentials at Time of Massive Data Breach

Brianna Smith — October 22, 2019

Laptop displaying data stream in darkened room; image by Markus Spiske, via Unsplash.com.

A class-action lawsuit filed earlier this month alleges Equifax used ‘admin’ as the username and password for the compromised portal containing sensitive information of millions of people.

Remember the big Equifax data breach that compromised sensitive data belonging to millions of Americans? Well, it turns out that at the time of the breach, Equifax was using the word ‘admin’ as both the password and username for the portal containing all the sensitive information that was compromised, according to a class-action lawsuit filed earlier this month. The suit was filed in the Northern District of Georgia.

Equifax Logo; image courtesy of Equifax via Wikipedia, https://en.wikipedia.org/

According to the suit, “Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that is a surefire way to get hacked.” Additionally, the suit notes that Equifax “admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website.” Furthermore, the suit alleges that when Equifax “did encrypt data, it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”

This latest class-action suit actually merged 373 other lawsuits into one, and unlike other lawsuits filed by consumers, the class-action suit was filed by “shareholders that allege the company didn’t adequately disclose risks or its security practices.” As a result, the suit is seeking damages because the company’s shares “lost value due to multiple false or misleading statements and omissions about the sensitive personal information in Equifax’s custody, the vulnerability of its internal systems to cyberattack, and its compliance with data protection laws and cybersecurity best practices.”

Originally Equifax filed a motion to dismiss the case back in March of 2018 and stated:

“Plaintiff’s Complaint is devoid of facts even plausibly suggesting that Defendants were aware of any information contradicting their public statements when made,” the motion reads. “Instead, Plaintiff’s claims hang almost entirely on the unsupported and implausible notion that Defendants knowingly and deliberately failed to patch the software vulnerability at issue in the Cybersecurity Incident—at no conceivable benefit to themselves.”

However, that motion to dismiss was rejected in January 2019. When commenting on the matter, the court said:

“Equifax’s cybersecurity was dangerously deficient. The company relied on a single individual to manually implement its patching process across its entire network.”

For those who don’t know, reports from Equifax revealed that cyber criminals hacked into its system between May and July 2017 and “accessed sensitive information such as names, social security numbers, birth dates, addresses, and the numbers of some driver’s licenses.” The attack also compromised “credit card numbers for about 209,000 U.S. customers…as was personal identifying information on roughly 182,000 U.S. customers involved in credit report disputes.”