Equifax (EFX) used the word “admin” as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia.
The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail.
“Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” the lawsuit reads.
The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website.
When Equifax, one of the three largest consumer credit reporting agencies, did encrypt data, the lawsuit alleges, “it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”
The class-action suit consolidated 373 previous lawsuits into one. Unlike other lawsuits against Equifax, these don’t come from wronged consumers, but rather shareholders that allege the company didn’t adequately disclose risks or its security practices.
The lawsuit was filed by people who bought shares of Equifax between Feb. 25, 2016 and Sept. 15, 2017. In September 2017 Equifax announced a data breach that exposed the personal information of 147 million people. The company settled with the FTC for $425 million in September 2019.
The lawsuit claims damages from the fact that the investments lost value due to "multiple false or misleading statements and omissions about the sensitive personal information in Equifax’s custody, the vulnerability of its internal systems to cyberattack, and its compliance with data protection laws and cybersecurity best practices.”
In March 2018, Equifax filed a motion to dismiss the case.
“Plaintiff’s Complaint is devoid of facts even plausibly suggesting that Defendants were aware of any information contradicting their public statements when made,” the motion reads. “Instead, Plaintiff’s claims hang almost entirely on the unsupported and implausible notion that Defendants knowingly and deliberately failed to patch the software vulnerability at issue in the Cybersecurity Incident—at no conceivable benefit to themselves.”
The motion to dismiss was rejected by the court in January 2019.
“Equifax’s cybersecurity was dangerously deficient,” the court said. “The companied relied on a single individual to manually implement its patching process across its entire network.”
The class action is pending certification.
Equifax did not respond to a request for comment by the time of publication.