Equifax staffers used the default user name and password – ‘admin’ – to secure a portal containing sensitive customer information, Computing reported.
That’s according to a class-action lawsuit launched against the company in the US, claiming securities fraud by the company over the 2017 data breach that spilled information on around 148 million accounts of people in the US, Canada and the UK.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The Equifax breach is one of the worst we’ve seen in the past few years and it once again highlights that password culture needs to change. The fact is that humans are the still weakest link in our cyber security defence strategies and the fact that nobody thought to change the default ‘admin’ username and password is another reason why passwords alone are ineffective. Organisations are still too casual with sensitive data. IT departments need to implement processes to enforce the change of default passwords and blacklist the use of commonly used passwords. Another solution is to implement MFA. If MFA has been implemented, then it doesn’t matter if your username and password have been compromised.
This simply reinforces the notion that good Privileged Access Management practices are the best defense against bad actors. Had the Equifax breach been the result of an extremely smart and motivated hacker doing something amazing to get the data, that would have been one thing. But since it’s the case of the target ignoring the bare-minimum of best practices and paying a significant price for the oversight, what happened is alarming. In the case of Equifax, simply doing what’s right (which would have taken about 1 minute to implement) would have saved the company from a world of trouble.
Organisations should not treat database security any differently from other security. For instance, they should avoid sharing the admin password. In circumstances when the admin password is issued, they need to make sure they know who it was issued to, for what purpose, and that this has been documented. When employees have admin access, their actions need to be monitored.
Finally, organisations must implement analytics to determine if and when someone may have gained admin access without their knowledge or permission. To maintain these protocols, organisations should implement a comprehensive and well-designed PAM program and ensure that it includes databases and DBAs along with all other privileged users and admin accounts across all systems.