You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Every Friday
GamesRadar+
Your weekly update on everything you could ever want to know about the games you already love, games we know you're going to love in the near future, and tales from the communities that surround them.
Every Thursday
GTA 6 O'clock
Our special GTA 6 newsletter, with breaking news, insider info, and rumor analysis from the award-winning GTA 6 O'clock experts.
Every Friday
Knowledge
From the creators of Edge: A weekly videogame industry newsletter with analysis from expert writers, guidance from professionals, and insight into what's on the horizon.
Every Thursday
The Setup
Hardware nerds unite, sign up to our free tech newsletter for a weekly digest of the hottest new tech, the latest gadgets on the test bench, and much more.
Every Wednesday
Switch 2 Spotlight
Sign up to our new Switch 2 newsletter, where we bring you the latest talking points on Nintendo's new console each week, bring you up to date on the news, and recommend what games to play.
Every Saturday
The Watchlist
Subscribe for a weekly digest of the movie and TV news that matters, direct to your inbox. From first-look trailers, interviews, reviews and explainers, we've got you covered.
Once a month
SFX
Get sneak previews, exclusive competitions and details of special events each month!
It's been more than two years since Equifax disclosed a data breach that exposed the details of nearly 150 million Americans, and it still ranks as one of the worst security screw-ups of all time. Adding insult to injury, new details have come to light that underscore just how careless Equifax might have been at the time.
A class action lawsuit (PDF) filed in the United States District Court for the Northern District of Georgia, Atlanta Division, alleges Equifax used the default username "admin" to protect a portal used to manage credit disputes. Same goes for the password—at the time of the breach, it too was still the default "admin," according to the lawsuit.
"This portal contained a vast trove of personal information. According to cybersecurity experts, these shortcomings demonstrated 'poor security policy and a lack of due diligence'. Equifax’s authentication practices fell short of the data security standards, which recommend the use of multi-factor authentication," the lawsuit states.
The class-action lawsuit says using the default password "is a surefire way to get hacked." It's certainly boneheaded, if in fact Equifax never bothered to change either the username or password, as the lawsuit alleges.
Other claims of security lapses are made in the lawsuit as well, each representative of a company that "allegedly failed to take some of the most basic precautions to protect its computer systems from hackers."
For example, in addition to the use of "weak passwords and security questions," the lawsuit claims "Equifax relied upon four-digit PINs derived from Social Security numbers and birthdays to guard personal information, despite the fact that these passwords had already been compromised in previous breaches."
According to the lawsuit, a breach of this size "would not have occurred if Equifax had implemented better monitoring systems."
Equifax is one of three major US credit monitoring bureaus. When first disclosing the breach, Equifax said it impacted around 143 million Americans. A year later, however, Equifax said it discovered at least 2.4 million more names that may have potentially been affected as well.
Hopefully this does not become an annual trend, where each year the news gets worse. That may have to wait for 2020, though, if the claims in the lawsuit are accurate.
