WTF?! It's not easy to forget 2017's massive Equifax data breach, which exposed the sensitive personal information of roughly 150 million American citizens. While Equifax has already settled the breach with the FTC (to the tune of around $700 million), the credit bureau has been hit with another lawsuit that alleges the company used the default "admin" password during the time of the breach.
The suit in question has been filed against Equifax in Georgia, and it classifies itself as a "securities fraud class action" case. The plaintiffs claim that Equifax's use of the default "admin" username and password, demonstrated poor security policy and a "lack of due diligence."
These credentials (if you can call them that) were allegedly used to protect a company portal for accessing credit disputes (which contained a "vast trove" of personal information). If that claim is accurate, it'll be tough for Equifax to argue against -- we're not sure how the company could possibly spin those login details as sufficient for security.
The suit also alleges that Equifax failed to implement other basic security measures, such as activity logs, tools to defend against malicious scripts, and multi-factor authentication. Further, Equifax allegedly stored "sensitive personal information" in plaintext form on "public-facing" web portals and servers.
...Equifax allegedly stored "sensitive personal information" in plaintext form on "public-facing" web portals and servers.
Even if Equifax had followed the security principles and methods laid out in this lawsuit, it's unclear whether or not the breach could have been prevented entirely. However, according to the plaintiffs in this case, Equifax's security failings made the situation worse, at the very least.
However, we should make one thing clear: all of the claims made in this suit are just allegations, and should not be taken as gospel just yet. We'll need to wait for the suit to run its course before we can draw any firm conclusions.
For now, the judge presiding over this case has allowed it to move forward against Equifax and former CEO Richard Smith, but the court has denied plaintiffs the ability to go after John Gamble, Rodolfo Ploder, and Jeffrey Dodge (other former or current members of Equifax's leadership team).