Skip to main content
  1. Home
  2. Computing
  3. News

Security firm says Equifax made it far too easy to access salary and job data

Mark Coppock
By

cfpb investigation equifax hack headquarters
Smith Collection/Gado/Getty Images
One of the more notorious data breaches in 2017 was the Equifax hack that exposed the private information of roughly 145 million Americans. The Equifax breach is particularly troublesome because of the company’s status as a central clearinghouse for some of the most sensitive information that’s stored online. Now, it appears that the company’s lax security extends beyond basic security and may have made salary and employment information far too easy to access.

The news comes via KrebsonSecurity, which broke the story on October 8, 2017. Apparently, Equifax TALX, a service that is used for automatic verification of income and employment history data that’s used when someone applies for a loan, has utilized authentication procedures that are far too easy to bypass. Simply put, accessing the data is far too easy for anyone with access to information — such as social security numbers and dates of birth — that has been readily available for many people thanks to past data breaches.

Recommended Videos

The TALX system should only be accessible by credentialed companies such as banks and employers. As KrebsonSecurity discovered, however, many accounts can be accessed merely by entering an employer name and a complete or partial social security number. Then, the PIN that’s requested is in a majority of cases just a date of birth in easily guessed formats. Once validated, some very juicy information is available, including salary and employment history that dates back a decade or more.

Related

Even the system’s advance authentication can be bypassed if the TALX customer failed to fully populate all the relevant information, and in many cases, detailed instructions on how to complete the authentication forms is available online. That makes it far too easy for nefarious parties to guess at how to successfully authenticate and gain access to the system.

If you’re concerned about your information being made accessible to unauthorized parties, then KrebsonSecurity provides a way to help safeguard your data:

“Fortunately, you can reduce the likelihood that an acquaintance, co-worker, stalker or anyone else can do this by claiming your own account, changing the PIN, and selecting a half-dozen security questions and answers. As always, it’s best not to answer these questions truthfully, but to input answers that only you will know and that can’t be found using social networking sites or other public data sources.”

As KrebsonSecurity notes in an update, Equifax has taken the TALX portal down for scheduled maintenance. It’s unknown whether that’s purely coincidental or if it’s in response to the story that was published yesterday. In addition, some commenters on the original story indicated that additional steps are being added that should help, although the data is still too easily accessible for anyone who’s willing to do the necessary research.

Editors' Recommendations

Topics
Mark Coppock
Mark Coppock
Computing Writer
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
How to file a claim for $125 if you were hit by the 2017 Equifax data breach
equifax security breach

If your Social Security number was exposed in the 2017 Equifax data breach, you can finally file a claim for $125 -- or potentially more -- in compensation.

The consumer credit reporting agency agreed on a $575-$700 million settlement with the Federal Trade Commission (FTC) on Monday. The 2017 data breach impacted the personal information of approximately 147 million people, including Social Security numbers and other private data. 

Read more
Equifax agrees to pay $700 million settlement for its 2017 data breach
equifax security breach

Equifax has agreed to pay up to $700 million as part of a settlement agreement reached in regard to its 2017 data breach.

According to Reuters, the consumer credit reporting agency’s settlement is the “largest-ever settlement for a data breach” and effectively ends the investigations into the company by the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), and “nearly all state attorneys general.”

Read more
British Airways hit with a massive fine for 2018 data breach
british airways cabin crew given ipads

A data breach in 2018 that saw hackers steal personal data belonging to hundreds of thousands of British Airways customers has cost the company nearly 184 million British pounds (about $230 million), making it the biggest fine ever imposed for an incident of this kind.

The U.K.’s Information Commissioner’s Office (ICO) said it handed down the fine for breaches of data protection law that it said resulted from “poor security arrangements” at the company.

Read more