Class action lawsuit claims Equifax used the default 'admin' credentials during 2017 data...

Polycount

TS Evangelist
Staff member

The suit in question has been filed against Equifax in Georgia, and it classifies itself as a "securities fraud class action" case. The plaintiffs claim that Equifax's use of the default "admin" username and password, demonstrated poor security policy and a "lack of due diligence."

These credentials (if you can call them that) were allegedly used to protect a company portal for accessing credit disputes (which contained a "vast trove" of personal information). If that claim is accurate, it'll be tough for Equifax to argue against -- we're not sure how the company could possibly spin those login details as sufficient for security.

The suit also alleges that Equifax failed to implement other basic security measures, such as activity logs, tools to defend against malicious scripts, and multi-factor authentication. Further, Equifax allegedly stored "sensitive personal information" in plaintext form on "public-facing" web portals and servers.

...Equifax allegedly stored "sensitive personal information" in plaintext form on "public-facing" web portals and servers.

Even if Equifax had followed the security principles and methods laid out in this lawsuit, it's unclear whether or not the breach could have been prevented entirely. However, according to the plaintiffs in this case, Equifax's security failings made the situation worse, at the very least.

However, we should make one thing clear: all of the claims made in this suit are just allegations, and should not be taken as gospel just yet. We'll need to wait for the suit to run its course before we can draw any firm conclusions.

For now, the judge presiding over this case has allowed it to move forward against Equifax and former CEO Richard Smith, but the court has denied plaintiffs the ability to go after John Gamble, Rodolfo Ploder, and Jeffrey Dodge (other former or current members of Equifax's leadership team).

Permalink to story.

 

Cycloid Torus

Stone age computing - click on the rock below..
New choices to include one from column A and the other from column B:
"A"
123456.
123456789.
qwerty.
password.
111111.
12345678.
abc123.
1234567.

"B"
123456.
123456789.
qwerty.
password.
111111.
12345678.
abc123.
1234567.
 

yRaz

Nigerian Prince
I'm still getting calls every couple of months from one of my banks/credit cards about potential fraudulent activity on one of my accounts. It's to the point where I have to notify the bank every time I go to travel. Two of my cards were declined when I had a layover at Atlanta airport. And while we're on the topic, I hate Atlanta airport but all my sky miles are for Delta so I really don't have much choice in the matter
 

Yynxs

TS Addict
Just for that kind of stupidity they would be liquidated with the funds distributed to everyone that was ever listed on them .....
Settling with the FTC means nothing except the government gets the money and the stockholders get hit. I would like to see the executives and staff jailed in El Salvador for about 5 years also. Use some of the liquidation funds to hire US guards. If there were tech staff that yelled bloody murder about the security, give them a 5 year bonus check, and if not, let them join the executives.

Somewhere sometime someone has to get the hint about the security without a horse head on a pillow.