Equifax Incorporated experienced a breach of security back in 2017 which compromised the sensitive financial and personal information of as many as 147,000,000 people; and the consumer credit reporting agency — which is based in Atlanta — has settled for a total of $671 million as a result.
Equifax Used admin For User Name and Password, According to Court Document
According to a statement found on page nine of this official document — which is a total of 109 pages — from the United States District Court for the Northern District of Georgia — Atlanta Division, Equifax failed to implement adequate authentication measures to protect the sensitive personal data in its custody from unauthorized access…
…and one of the number of ways Equifax provided insufficient measures to protect the sensitive personal data is by using admin as both a user name and a password.
These mechanisms included weak passwords and security questions. For example, Equifax relied upon four digit pins derived from Social Security numbers and birthdays to guard personal information, despite the fact that these weak passwords had already been compromised in previous breaches. Furthermore, Equifax employed the username “admin” and the password “admin” to protect a portal used to manage credit disputes, a password that “is a surefire way to get hacked.” This portal contained a vast trove of personal information. According to cybersecurity experts, these shortcomings demonstrated “poor security policy and a lack of due diligence.” Equifax’s authentication practices fell short of the data security standards, which recommend the use of multi-factor authentication.
Equifax also failed to adequately monitor its networks and systems,which greatly exacerbated the fallout of the Data Breach. According to the Plaintiff, Equifax failed to establish mechanisms for monitoring its networks and systems to alert when a threat existed. Such mechanisms include maintaining activity logs, setting up processes for tracking malicious scripts,and implementing file integrity monitoring. According to cybersecurity experts,logging is a “simple but crucial cybersecurity technique” in which a company monitors its systems by continuously logging network access so as to identify unauthorized users. This failure by Equifax greatly compounded the magnitude of the Data Breach’s impact. According to experts, a breach as large scale as this one would not have occurred if Equifax had implemented better monitoring systems. If adequate monitoring systems had been in place, Equifax could have identified the breach much earlier and prevented the exfiltration of consumer data from its network. Improved logging techniques also could have enabled Equifax to expel the hackers from its systems and minimize the impact of the breach. Instead, due in part to Equifax’s failure to implement effective logging techniques, hackers were able to continuously access this sensitive personal data for over 75 days. Equifax’s failure to utilize proper network monitoring, one of the most basic cybersecurity practices, demonstrates the fundamental deficiencies in its networks.
Additionally, not only did Equifax fail to encrypt sensitive personal data in its custody, but it also was “accessible through a public-facing, widely used website”, according to the aforementioned court document. This enabled any attacker which compromised the server of the Internet web site to immediately have access to this sensitive personal data in plain text.
Elizabeth Warren — who is one of two Senators of the United States representing the state of Massachusetts — is featured in this video at the Committee on Banking, Housing and Urban Affairs hearing entitled An Examination of the Equifax Cybersecurity Breach on Wednesday, October 4, 2017. She launched a brutally frank round of questions for Richard F. Smith — who is the former chief executive officer of Equifax — which you must watch.
The complete video of the entire hearing — which is approximately a minute shy of two hours in duration — is here — as well as the entire prepared statement by Smith.
Consumers who were affected by the security breach were initially offered a choice of free credit monitoring services or a cash payment of $125.00 — as well as the possibility of being eligible for cash payments of up to a maximum of $20,000.00 — in the resulting Equifax lawsuit settlement…
…until the Federal Trade Commission of the United States confirmed on Wednesday, July 31, 2019 that you will likely not receive a payment of $125.00 if you opt for cash instead of free monitoring of your credit simply because not enough funds were available to satisfy each claim with that payment due to the overwhelming response by people whose personal data was affected by the security breach. Additional information and answers to questions which have been frequently asked pertaining to the Equifax Data Breach Settlement are found here.
The motion to dismiss the securities fraud class action claim against Equifax was ultimately denied on Monday, January 28, 2019 by Thomas W. Thrash, who is the United States District Judge who presided over this case.
Summary
I initially thought that $125.00 was an absolute bargain as punishment for the result of irresponsible handling of sensitive data by Equifax — especially when the sensitive personal data was so callously handled in such a lackadaisical and cavalier manner by using the term admin as such a ridiculously rudimentary method of password protection. For the potential problems — including violation of privacy, possible financial issues and even identity theft, which is difficult to resolve — the average consumer faces because of the breach of what is supposed to be confidential and secured information, I think Equifax should pay significantly more than $125.00 per person.
I realized that the terms and stipulations of the settlement of a lawsuit cannot be amended once it is agreed upon by all parties; but the breach of sensitive data is becoming all too commonplace these days. The ink has not yet dried on the Equifax lawsuit settlement; and now comes a lawsuit against Capital One for its culpability in not proactively protecting enough the sensitive data of greater than 100 million of its customers. Companies wind up getting away with little more than a slap on the wrist; the lawyers are getting wealthier; and the poor consumer gets pennies on the dollar for his or her troubles — if he or she is lucky.
I have one question: how do we know that the free credit monitoring services are safe and that our sensitive personal data may not eventually be compromised with them? What guarantees are there to the average — and innocent — consumer? What if a data breach occurs with one of them?
The official slogan for the Federal Trade Commission of the United States is “Protecting America’s Consumers” in big bold letters…
…but somehow, I do not feel all that protected when it comes to my personal information. There is something really wrong with this system.
Photograph ©2016 by Brian Cohen.