#Privacy: Lawsuit claims Equifax failed at the most basic cyber-security levels

Equifax

Employees at Equifax relied on default administration login credentials to secure a pathway that contained private customer details, reports reveal.

According to a class-action lawsuit leveraged against the US firm, Equifax is guilty of fraud as a result of the massive data breach it suffered in 2017 which led to the exposure of around 148 million accounts. Citizens in the UK, US and Canada were hit by the breach.

The lawsuit claimed:

“This case arises out of a massive data breach incident. The plaintiff alleges that the defendants committed fraud in connection with the data breach that caused a loss in value of [Equifax shares].”

There are also allegations being made that the company committed “multiple false and misleading statements and omissions about the sensitive personal information in Equifax’s custody, the vulnerability of its internal systems to cyber-attack, and its compliance with data protection laws and cybersecurity best practices.”

The lawsuit continues, maintaining that Equifax neglected to take even the “most basic precautions to protect its computer systems from hackers.”

Such measures include failing to make sure that employees used proper authentication measures to secure systems.

“Equifax’s authentication measures were insufficient to protect the sensitive personal data in its custody from unauthorised access”, the report said.

“These mechanisms included weak passwords and security questions. For example, Equifax relied upon four-digit PINs derived from [US] Social Security numbers and birthdays to guard personal information, despite the fact that these passwords had already been compromised in previous breaches.

“Furthermore, Equifax employed the user name ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes. This portal contained a vast trove of personal information,” the report continued.

Equifax also failed to supervise its networks and systems, the lawsuit said. It failed to establish mechanisms to monitor activity logs, processes for tracing malicious scripts and file integrity monitoring.

“A breach as large-scale as this would not have occurred if Equifax had implemented better monitoring systems,” the lawsuit report added.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.