In 2017, the Equifax data breach affecting over 147 million people in the United States, Canada and UK quickly made history as the first-ever “mega-breach.” Two years later, it still ranks as one of the worst data breach violations in history. Unfortunately, as the details of a new Equifax lawsuit reveal, there is a very strong likelihood the entire data breach could have been avoided in the first place if the company had adopted even the most basic security protocols.
Equifax uses “admin” as both a username and password
There is perhaps no better example of just how egregious the security flaws at Equifax were than the fact that the company used “admin” as both a username and password on a portal used to manage customer credit disputes. As anyone familiar with IT security knows, “admin” is a typical default password that is incredibly easy for hackers to guess. In fact, the default “admin” username/password combo is so well known and so often exploited that the class action lawsuit brought against Equifax alleges that this embarrassing security flaw was “a surefire way to get hacked.”
And it gets worse than that, because Equifax, which handles both credit monitoring and credit reporting, didn’t even bother to encrypt a vast trove of personal data. It turns out that Equifax was storing unencrypted user data on a public-facing server. Moreover, Equifax did not encrypt any of its mobile apps. In fact, even when Equifax did encrypt its trove of personal information, it left the encryption keys on the same public-facing servers. This would be equivalent to locking the front door of your home, but leaving the house keys in plain sight right on the front step.
As details of the Equifax lawsuit get publicized, it appears as though there was a systemic breakdown in the company’s security practices – something that is all the more puzzling given the very fact that Equifax is in the data business, and that its entire business model is based on the collection, sharing and analysis of data. Surely, the plaintiffs in the Equifax lawsuit allege, the company could have at least been encrypting user data and taking basic steps to secure sensitive personal information?
Implications of the Equifax lawsuit for other companies
What is most striking about the Equifax lawsuit is that it is a class action suit that aggregates the claims of 373 other lawsuits, all of them brought by shareholders of the company. In other words, the new Equifax lawsuit, filed in the U.S. District Court for the Northern District of Georgia (Atlanta Division), is really a rebellion of angry shareholders. This group alleges the company did not adequately disclose risks or security practices. The implication is that the shareholders would have dumped their shares in the company if they had known how risky and unsafe their investment in Equifax was. In short, they are implying that Equifax could be guilty of securities fraud.
This shareholder rebellion is indicative of the fact that cybersecurity practices are now becoming a much more visible part of the investment due diligence process. In the past, investors might have skipped over the cyber risks posed by a company, but not anymore. They will be taking a much closer look at the security practices of companies before they invest – and they will also expect company management to take the same care and consideration before they undertake a merger or acquisition. They will also expect companies to have best-in-class internal security practices in place.
Patrick Ciavolella, digital security and operations director at The Media Trust, comments on the importance of setting up the right internal IT security controls within any organization: “The data breaches that have made the news are often carried out by external malicious actors. But what is often overlooked is the role insiders–from employees to contractors–play in enabling these breaches. At least half of all security breaches are linked to either negligent or malicious insiders. What’s more, insider threats are harder to detect or prevent on the one hand and can exact the most damage on the other. Insider threats require a holistic approach that combines heightened and frequent cybersecurity training with better controls.”
Understandably, the plaintiffs in the Equifax lawsuit are angry that the company’s senior leadership made “multiple false and misleading statements and omissions,” all of which sought to cover up the true extent of the security scandal at the company. This, too, is significant in light of pending new legislation from Senator Ron Wyden (D – Oregon), who is proposing a new privacy bill that would include jail time for any senior executives found guilty of lying or making deceptive statements about the security practices of their organization. As it currently stands, the Mind Your Own Business Act would call for jail terms of anywhere from 10 to 20 years for senior executives, depending on the seriousness of the charges. In the future, then, this type of Equifax lawsuit might actually end up with corporate executives thrown into prison for covering up security breaches.
Lessons learned from the Equifax mega-breach
The fact that the Equifax mega-breach is still relevant nearly two years after it occurred is telling. A U.S. congressional report from December 2018, which is the basis for much for the new Equifax lawsuit, concluded that the company failed to implement adequate security practices. Now, as more details get revealed in the course of this new Equifax lawsuit, we are starting to see the precise details of what lead to this highly critical assessment.
It’s almost as if the Equifax breach were the perfect example of what NOT to do if you’re in charge of IT security at a major company. At a minimum, companies need to check that they are not using weak passwords and security questions for any sensitive data. (“Admin” surely qualifies as one of the weakest possible username/password combos) They also need to make sure that they are taking advantage of encryption technology to protect as much data as possible, especially any sensitive personal information such as Social Security Numbers, home addresses, and dates of birth. The Equifax data breach, for example, resulted in the Social Security Numbers and personal addresses of at least 147 million people being revealed to a third-party hacker.
In addition, companies should be adopting new technologies, such as multi-factor authentication, in order to prevent brute force attacks that attempt to guess password and username combos. In the case of Equifax, some form of multi-factor authentication might have been able to stave off an attack, even if the hacker knew the “admin” username/password combo. And, finally, companies need to do a much better job of monitoring their networks and systems. The default assumption needs to be that hackers are constantly probing their networks and systems, and faced with this omnipresent risk, companies need to be doing more to beef up their overall IT security.
Cybersecurity now a board-level priority
If nothing else, the Equifax lawsuit – and all of the embarrassing security weaknesses that it is revealing – should be a wakeup call to C-suite executives and board members. If cybersecurity was not yet a board-level priority, it should be now. In the future, a mega-breach of the same scale might do more than just result in huge financial losses and damaging lawsuit claims – it might also end up with those same executives and board members headed to prison.