Uzado published a blog years ago titled “Don’t Make Password your Password.” The cybersecurity “experts” at Equifax would have been wise to have read this blog prior to their breach in 2017. A recent filing in the United States District Court for the Northern District of Georgia, Atlanta Division shows that the username and password the company users to protect a portal used to manage credit disputes was “admin.” The class action lawsuit calls this “a sure-fire way to get hacked.”
The Equifax breach happened because the firm failed to patch a web server. With or without this patch, however, it seems that Equifax would have been doomed to a breach anyway. The first password a hacker is likely to try is to default “admin” to get in. The other security issue the lawsuit mentioned was that Equifax “was storing unencrypted user data on a public facing server–so it could have been viewed by any attacker who chose to compromise it. Meanwhile, Equifax didn’t encrypt its mobile applications either–and when it did encrypt data, it left the encryption keys on the same public facing servers.” You don’t have to be an expert to know that these are not good security practices. The court filing also suggests that the inadequacies in Equifax’s encryption protocol fell short of industry standards and data security laws, going as far to say that the company “did not know what they were doing with respect to data security.”
Since the big breach of 2017, Equifax has been paying more than $300 million toward credit monitoring services for the impacted customers. It has also compensated customers who paid out-of-pocket expenses as a result of the breach. In July of this year, Equifax got fined $700 million for the hack, with $425 million of that due to go into a fund to compensate affected customers.
What all this shows, is that even two years later, details about the Equifax mega breach continue to emerge. If there is something other organizations can learn from this, it’s that poor cybersecurity practices can be truly devastating to your customers, your future revenue and ultimately your brand. What’s worse, it’s seems like simple cybersecurity practices like using better passwords, encrypting databases, and timely patching of servers could have prevented all of this. Isn’t it better to have all your security “ducks in a row” prior to a possible breach than after?