Following the recent disclosure of a massive breach of consumer data from Equifax, researchers at Comodo and Hold Security found evidence of more security failures at the company — and Bloomberg reported that Equifax suffered an additional breach in March of this year.
Hold Security researchers recently discovered that the Web portal Equifax uses to manage credit report disputes from consumers in Argentina was protected by the unfortunate user name/password combination “admin/admin,” investigative reporter Brian Krebs reports.
Accessing that portal enabled anyone to add, modify and delete user accounts, view employee user names and passwords (all of which were simply the employee’s first initial and last name), and view 14,000 records of consumer disputes, each of which listed the complainant’s DNI (Argentina’s Social Security number) in plain text.
“To me, this is just negligence,” Hold Security founder Alex Holden told Krebs. “In this case, their approach to security was just abysmal, and it’s hard to believe the rest of their operations are much better.”
Bloomberg reports that Equifax learned about another major breach back in March, almost five months before the one that was recently disclosed. While the company says the two breaches were not related, a source told Bloomberg that the two attacks involved the same intruders.
Equifax said the first breach, which involved a payroll service during the 2016 tax season, was disclosed to a small number of banking customers. It’s possible that breach didn’t expose sensitive enough data to trigger broader notification requirements.
It was previously reported that three Equifax executives sold stock soon after the discovery of the second breach — Bloomberg notes that company CFO John Gamble also sold 14,000 shares worth $1.91 million on May 23, raising further questions about his awareness of the two breaches prior to his sale of company stock.
Comodo researchers recently found more than 388 records of Equifax user and employee data, including user names, titles, passwords and login URLs, for sale on the dark Web. The data includes information on several members of senior management.
Equifax’s chief privacy officer, CIO, vice president of public relations and vice president of sales used all lowercase letters for their passwords, including easily guessable words like spouses’ names and city names.
“Ironically, these executives are the people that should be responsible for implementing best practices,” the researchers wrote. “Most systems and company policies insist on complex passwords with minimum password length and a mix of upper- and lowercase characters, combined with special characters and numerals.”
Still, a recent Intercede survey of 100 IT decision makers in the U.K. found that 86 percent of those with sysadmin level access rights use only basic user name and password authentication to access their companies’ IT systems — and 17 percent use simple passwords of less than eight characters with no or minimal character type variation to do so.
There is some variation by industry — in retail, distribution and transport, it’s even worse: 38 percent of those with sysadmin access use simple passwords of less than eight characters.
Fifty percent of all respondents admitted business users accounts in their organizations are “not very secure.”
“Sysadmins effectively hold the ‘keys to the kingdom,’ and relying on user name and password authentication is a bit like relying on a basic Yale lock to secure your front door,” Intercede CEO and chairman Richard Parris said in a statement.