Canada Markets closed

Equifax used 'admin' as username and password for sensitive data: lawsuit

Ethan Wolff-Mann
Senior Writer
Equifax / REUTERS/Brendan McDermid

Equifax (EFX) used the word “admin” as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia.

The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail.

“Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” the lawsuit reads.

The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website.

When Equifax, one of the three largest consumer credit reporting agencies, did encrypt data, the lawsuit alleges, “it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”

The class-action suit consolidated 373 previous lawsuits into one. Unlike other lawsuits against Equifax, these don’t come from wronged consumers, but rather shareholders that allege the company didn’t adequately disclose risks or its security practices.

The lawsuit was filed by people who bought shares of Equifax between Feb. 25, 2016 and Sept. 15, 2017. In September 2017 Equifax announced a data breach that exposed the personal information of 147 million people. The company settled with the FTC for $425 million in September 2019.

The lawsuit claims damages from the fact that the investments lost value due to "multiple false or misleading statements and omissions about the sensitive personal information in Equifax’s custody, the vulnerability of its internal systems to cyberattack, and its compliance with data protection laws and cybersecurity best practices.”

In March 2018, Equifax filed a motion to dismiss the case.

Equifax's 1-year performance, charted on Yahoo Finance Premium with significant events.

“Plaintiff’s Complaint is devoid of facts even plausibly suggesting that Defendants were aware of any information contradicting their public statements when made,” the motion reads. “Instead, Plaintiff’s claims hang almost entirely on the unsupported and implausible notion that Defendants knowingly and deliberately failed to patch the software vulnerability at issue in the Cybersecurity Incident—at no conceivable benefit to themselves.”

The motion to dismiss was rejected by the court in January 2019.

“Equifax’s cybersecurity was dangerously deficient,” the court said. “The companied relied on a single individual to manually implement its patching process across its entire network.”

The class action is pending certification.

Equifax did not respond to a request for comment by the time of publication.

--

Ethan Wolff-Mann is a writer at Yahoo Finance focusing on consumer issues, personal finance, retail, airlines, and more. Follow him on Twitter @ewolffmann.

Large-scale credit card hackers back for the holiday season, ex-FBI investigator says

Joining the top 1% just got more difficult, IRS data reveals

The downside to living longer: Running out of money

Social Security phone scams are now a greater threat than IRS scams

How to know if your next flight is on a 737 Max

The 2020 Social Security increase falls short

Read the latest financial and business news from Yahoo Finance

Follow Yahoo Finance on Twitter, Facebook, Instagram, Flipboard, LinkedIn, YouTube, and reddit.

Try Yahoo Finance Premium for free today.