As we close in on a week since Equifax announced the massive hack that could potentially have exposed the financial information of 143 million consumers in the US, we have been left with many questions. How could a firm entrusted with our most sensitive financial data allow this to happen? Well, security researcher, Brian Krebs (who broke the Target breach story in 2014), reports today that the company still has some shocking vulnerabilities on its website in Argentina.
According to information supplied to Krebs by security researcher Alex Holden of Hold Security, the company is still leaving user data vulnerable to attacks. This firm began researching Equifax sites in South America, and found almost immediately that it was simple, pimple to get into an employee portal that had been designed for Equifax Argentina employees to manage credit disputes in the country. Unbelievably, it was "protected" with the user name admin and the password admin. It obviously didn't take a hacking genius to get inside.
Once in, the researchers found oodles of personally identifiable employee information including employee names and emails all exposed. What's more, Krebs reported that the admin could see the site user names in plain text, and while they didn't expose the passwords directly, it didn't take a monumental effort to expose them by right clicking and looking at the site source code. Incredibly, the user name, which was often just the employee last name, was the same as the password. The researchers also found, because they were granted administrative access, they could add, delete or modify the employee records.
From there the researchers were able to quickly access consumer complaint records on the site, again chock full of PII including the Argentine equivalent of the social security number. You probably couldn't be more careless with PII if you were trying.
The only good news to report here is that once Krebs informed the company of the problem, they wisely shut down the site and are investigating how it happened.
It would be nice to think that perhaps the company was a victim like so many companies before it of clever hackers using social engineering to make their way inside the system to carefully extract information, but it appears with evidence like this that there is gross incompetence involved, and that makes this all even harder to bear.