Skip to main content
  1. Home
  2. News

Lawsuit alleges Equifax’s stupid password made it super-easy to steal your data

Emily Price
By

Remember that epic Equifax hack from 2017? As it turns out, the company made it pretty easy for hackers to get in. A recent filing in the United States District Court for the Northern District of Georgia, Atlanta Division points out a few of the company’s missteps that might have led to the breach.

The first of those issues comes in the form of the password the company users to protect a portal used to manage credit disputes. While you might think a major company holding personal information like people’s names, addresses, and social security numbers might use an exceptionally secure password in that instance, it actually went for something a different: It used “admin” as both the username and password for the portal.

Recommended Videos

Not exactly the most secure move.

If the shoddy password wasn’t enough, the company also stored unencrypted user information on a public-facing server. That meant that any attacker that compromised the website’s server would immediately have access to all the personal information stored on it, with no additional work required.

The website also wasn’t the only thing it left unencrypted. The company also failed to encrypt its mobile applications, so not only was it keeping sensitive data unencrypted on its own server, it was transmitting that data unencrypted over the internet.

When it did finally encrypt that data, it “left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”

The court filing suggests that the inadequacies in Equifax’s encryption protocol fell short of industry standards and data security laws, going as far to say that the company “did not know what they were doing with respect to data security.”

The hack on Equifax in 2017 reportedly impacted approximately 147 million people, exposing their personal information and social security numbers.

As part of a settlement from the incident, Equifax is paying more than $300 million toward credit monitoring services for the impacted customers. It’s also compensating customers who paid out-of-pocket expenses as a result of the breach.

If you were impacted, you can apply to receive credit monitoring services or a $125 settlement via Equifax’s site now.

Editors' Recommendations

Topics
Emily Price
Emily Price
Emily is a freelance writer based in San Francisco. Her book "Productivity Hacks: 500+ Easy Ways to Accomplish More at…
Doordash data breach affects 4.9 million people, divulges physical addresses
DoorDash breach | Doordash app on a phone

Doordash is the latest tech company to suffer a major data breach. The company has announced that an unauthorized third party was able to gain access to Doordash user data on May 9, 2019, in a breach that affected a hefty 4.9 million users, delivery drivers, and merchants. According to the company, users who joined after April 5, 2018, were not affected by the breach.

"We take the security of our community very seriously. Earlier this [year], we became aware of unusual activity involving a third-party service provider," said the company in a blog post. "We immediately launched an investigation and outside security experts were engaged to assess what occurred."

Read more
1.5% of Chrome users’ passwords are known to be compromised, according to Google
A password screen with an indecipherable password inputted.

1.5% of passwords used in Chrome are unsafe and have been released in data breaches, according to new information from Google.

In February, a new feature was introduced to the Google Chrome browser which checks whether users' passwords are secure. Password Checkup is a free download that scans a database of 4 million compromised passwords and informs users if their password is among them and they need to change it. The database of passwords is collated from known third-party data breaches and when a user enters their password, it is checked against the list.

Read more
Lawsuit over Capital One data breach could eventually get you sweet revenge
how to protect yourself from capital one data breach credit card

If you were affected by the massive Capital One data breach, you might be entitled to cash down the line thanks to a new class-action lawsuit being filed against the company.
The Miami-based law firm Colson Hicks Eidson filed a class-action lawsuit Tuesday against Capital One Financial Corporation “for negligence in failing to safeguard consumers’ personal information” in the recent data breach that impacted 100 million consumers. It's not clear what will come with the lawsuit down the line, but a massive settlement could be seen as a significant deterrent against companies that don't do enough to safeguard personal data. And it could net you a couple of bucks -- if you were affected. 
"Capital One was reckless and completely disregarded the rights of consumers by failing to implement and maintain adequate data security measures and therefore exposed information to criminals for misuse,” said Lewis S. Mike Eidson, co-counsel for the plaintiffs. “Through this lawsuit, we hope to prevent a re-occurrence of a similar data breach, which has caused tremendous grief and compromised the financial standing and credit scores for so many.”   
If you missed the story of the breach, the short version is that thanks to a faulty firewall, a hacker was able to gain access to the bank’s cloud repository in March of 2019. That hacker collected the personal information from roughly 100 million Capital One customers' credit card applications, authorities said. The hacker then allegedly posted information about the breach their GitHub account in the middle of April, making it potentially available to others who could use it in nefarious ways.
The alleged hacker, Paige A. Thompson was arrested in July for the hack. She previously worked for Amazon Web Services (AWS) which handles Capital One’s cloud database.
At the time of the announcement of the hack, Capital One said that it is unlikely that the information was used for fraud or disseminated by this individual,” but it had plans to continue to investigate.
Despite that timeline, Capital One did not alert its customers of the breach until July 29, 2019. The information in question was also still available online until at least July 17, 2019 when the bank was notified by an anonymous tipster.
If you're worried that you were affected by the hack -- and there's a good chance you were, considering how big it was -- there are a number of steps you can take to protect yourself.
Capital One has said that it will be notifying those impacted by the hack “through a variety of channels.” We reached out to the company for comment on the class-action lawsuit, and will update this story if we heard back. 
The lawsuit was filed in Federal Court in the Eastern District of Virginia on behalf of plaintiffs Maria de Lourdes Tester and Tracy Elizabeth Masi.

Read more